extend local build script with step to sign build files

# Conflicts:
#	.github/workflows/win-exe.yml
#	dist/win/.gitignore

.github/CONTRIBUTING.md

@@ -20,10 +20,6 @@
 
 Translations are not managed directly in this repository. Instead, we use [Crowdin](https://translate.cryptomator.org/), which automatically synchronizes translations with this repository. If you want to help us with translations, please visit our translation project on Crowdin.
 
-## Use of Generative AI
-
-AI tools may assist your work, but every contribution must be fully understood, reviewed, and tested by you. Only submit changes you can clearly explain and justify. Unverified or low-quality AI output that wastes our time and resources will be closed without further review.
-
 ## Code of Conduct
 
 Help us keep Cryptomator open and inclusive. Please read and follow our [Code of Conduct](https://github.com/cryptomator/cryptomator/blob/develop/.github/CODE_OF_CONDUCT.md).

.github/actions/win-sign-action/action.yml

@@ -1,76 +0,0 @@
-name: 'Windows Code Signing'
-description: 'Sign files on Windows with the Azure Trusted Signing'
-inputs:
-  base-dir:
-    description: 'Absolute path to the base directory to search for files'
-    required: true
-  recursive:
-    description: 'Whether to search recursively in subdirectories'
-    required: false
-    default: 'false'
-  file-extensions:
-    description: 'List of file extensions to sign, separated by comma'
-    required: true
-    default: 'exe,dll,ps1'
-  description:
-    description: 'Signature description'
-    required: true
-    default: 'Cryptomator'
-  url:
-    description: 'Signature URL'
-    required: false
-    default: 'https://cryptomator.org'
-  append-signature:
-    description: 'Whether to append the signature to existing signatures'
-    required: false
-    default: 'false'
-  tenant-id:
-    description: 'Azure Tenant ID'
-    required: true
-  client-id:
-    description: 'Azure Client ID'
-    required: true
-  client-secret:
-    description: 'Azure Client Secret'
-    required: true
-
-runs:
-  using: 'composite'
-  steps:
-    - name: Generate, mask, and output the input secrets
-      id: set-secrets
-      run: |
-        echo "::add-mask::${{ inputs.tenant-id }}"
-        echo "::add-mask::${{ inputs.client-id }}"
-        echo "::add-mask::${{ inputs.client-secret }}"
-        echo "tenant-id=${{ inputs.tenant-id }}" >> "$GITHUB_OUTPUT"
-        echo "client-id=${{ inputs.client-id }}" >> "$GITHUB_OUTPUT"
-        echo "client-secret=${{ inputs.client-secret }}" >> "$GITHUB_OUTPUT"
-      shell: bash
-    - name: Sign DLLs with Azure Trusted Signing
-      uses: azure/artifact-signing-action@87c2e83e6868da99d3380aa309851b32ed9a8346 # v1.1.0
-      with:
-        files-folder: ${{ inputs.base-dir }}
-        files-folder-filter: ${{ inputs.file-extensions }}
-        files-folder-recurse: ${{ inputs.recursive }}
-        append-signature: ${{ inputs.append-signature }}
-        description: ${{ inputs.description }}
-        description-url: ${{ inputs.url }}
-        azure-tenant-id: ${{ steps.set-secrets.outputs.tenant-id }}
-        azure-client-id: ${{ steps.set-secrets.outputs.client-id }}
-        azure-client-secret: ${{ steps.set-secrets.outputs.client-secret }}
-        signing-account-name: cryptomatorSigning
-        certificate-profile-name: production
-        endpoint: https://weu.codesigning.azure.net/
-        timestamp-rfc3161: http://timestamp.acs.microsoft.com
-        timestamp-digest: SHA256
-        exclude-environment-credential: false
-        exclude-workload-identity-credential: true
-        exclude-managed-identity-credential: true
-        exclude-shared-token-cache-credential: true
-        exclude-visual-studio-credential: true
-        exclude-visual-studio-code-credential: true
-        exclude-azure-cli-credential: true
-        exclude-azure-powershell-credential: true
-        exclude-azure-developer-cli-credential: true
-        exclude-interactive-browser-credential: true

.github/dependabot.yml

@@ -14,9 +14,6 @@ updates:
         versions: ["2.0.1.MR"]
       - dependency-name: "org.openjfx:*"
         update-types: ["version-update:semver-major"]
-      # due to https://github.com/fabriciorby/maven-surefire-junit5-tree-reporter/issues/68
-      - dependency-name: "org.apache.maven.plugins:maven-surefire-plugin"
-        versions: [ "3.5.4", "3.5.5" ]
     groups:
       java-test-dependencies:
         patterns:

.github/workflows/appimage.yml

@@ -8,10 +8,6 @@ on:
       version:
         description: 'Version'
         required: false
-      create-pr:
-        description: 'Create a PR for aur-bin repo'
-        type: boolean
-        default: false
   push:
     branches-ignore:
       - 'dependabot/**'
@@ -23,7 +19,7 @@ on:
 
 env:
   JAVA_DIST: 'temurin'
-  JAVA_VERSION: '25.0.2+10.0.LTS'
+  JAVA_VERSION: '24.0.1+9'
 
 jobs:
   get-version:
@@ -35,28 +31,22 @@ jobs:
     name: Build AppImage
     runs-on: ${{ matrix.os }}
     needs: [get-version]
-    env:
-      SEMVER_STR: ${{ needs.get-version.outputs.semVerStr }}
-      SEMVER_NUM: ${{ needs.get-version.outputs.semVerNum }}
-      REV_NUM: ${{ needs.get-version.outputs.revNum }}
     strategy:
       fail-fast: false
       matrix:
         include:
           - os: ubuntu-latest
-            arch: x86_64
-            openjfx-url: 'https://download2.gluonhq.com/openjfx/25.0.2/openjfx-25.0.2_linux-x64_bin-jmods.zip'
-            openjfx-sha: 'e0a9c29d8cf3af9b8b48848b43f87b5785bc107c53a951b19668ce05842bba1b'
-            appimagetool-sha: 'ed4ce84f0d9caff66f50bcca6ff6f35aae54ce8135408b3fa33abfc3cb384eb0'
+            appimage-suffix: x86_64
+            openjfx-url: 'https://download2.gluonhq.com/openjfx/24.0.1/openjfx-24.0.1_linux-x64_bin-jmods.zip'
+            openjfx-sha: '425fac742b9fbd095b2ce868cff82d1024620f747c94a7144d0a4879e756146c'
           - os: ubuntu-24.04-arm
-            arch: aarch64
-            openjfx-url: 'https://download2.gluonhq.com/openjfx/25.0.2/openjfx-25.0.2_linux-aarch64_bin-jmods.zip'
-            openjfx-sha: 'c3408f818693cce09e59829a8e862a82c7695fdfcd585c41cfd527f5fc3fe646'
-            appimagetool-sha: 'f0837e7448a0c1e4e650a93bb3e85802546e60654ef287576f46c71c126a9158'
+            appimage-suffix: aarch64
+            openjfx-url: 'https://download2.gluonhq.com/openjfx/24.0.1/openjfx-24.0.1_linux-aarch64_bin-jmods.zip'
+            openjfx-sha: '7e02edd0f4ee5527a27c94b0bbba66fcaaff41009119e45d0eca0f96ddfb6e7b'
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v4
       - name: Setup Java
-        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
+        uses: actions/setup-java@v4
         with:
           distribution: ${{ env.JAVA_DIST }}
           java-version: ${{ env.JAVA_VERSION }}
@@ -65,7 +55,7 @@ jobs:
       - name: Download OpenJFX jmods
         id: download-jmods
         run: |
-          curl --silent --fail-with-body --proto "=https" -L ${{ matrix.openjfx-url }} -o openjfx-jmods.zip
+          curl -L ${{ matrix.openjfx-url }} -o openjfx-jmods.zip
           echo "${{ matrix.openjfx-sha }}  openjfx-jmods.zip" | shasum -a256 --check
           mkdir -p openjfx-jmods
           unzip -j openjfx-jmods.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d openjfx-jmods
@@ -83,9 +73,9 @@ jobs:
             exit 1
           fi
       - name: Set version
-        run : mvn versions:set -DnewVersion="$SEMVER_STR"
+        run : mvn versions:set -DnewVersion=${{ needs.get-version.outputs.semVerStr }}
       - name: Run maven
-        run: mvn -B clean package -Plinux -DskipTests
+        run: mvn -B clean package -Plinux -DskipTests -Djavafx.platform=linux
       - name: Patch target dir
         run: |
           cp LICENSE.txt target
@@ -104,15 +94,13 @@ jobs:
           ${JAVA_HOME}/bin/jlink
           --verbose
           --output runtime
-          --module-path "${JMOD_PATHS}"
-          --add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,javafx.base,javafx.graphics,javafx.controls,javafx.fxml,jdk.crypto.cryptoki,jdk.crypto.ec,jdk.unsupported,jdk.security.auth,jdk.accessibility,jdk.management.jfr,jdk.net,java.compiler
+          --module-path "${{ steps.jep-493-check.outputs.jmod_paths }}"
+          --add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,javafx.base,javafx.graphics,javafx.controls,javafx.fxml,jdk.unsupported,jdk.security.auth,jdk.accessibility,jdk.management.jfr,jdk.net,java.compiler
           --strip-native-commands
           --no-header-files
           --no-man-pages
           --strip-debug
           --compress zip-0
-        env:
-          JMOD_PATHS: ${{ steps.jep-493-check.outputs.jmod_paths }}
       - name: Run jpackage
         run: >
           ${JAVA_HOME}/bin/jpackage
@@ -126,26 +114,25 @@ jobs:
           --name Cryptomator
           --vendor "Skymatic GmbH"
           --copyright "(C) 2016 - 2025 Skymatic GmbH"
-          --app-version "${SEMVER_NUM}.${REV_NUM}"
+          --app-version "${{  needs.get-version.outputs.semVerNum }}.${{  needs.get-version.outputs.revNum }}"
           --java-options "--enable-preview"
           --java-options "--enable-native-access=javafx.graphics,org.cryptomator.jfuse.linux.amd64,org.cryptomator.jfuse.linux.aarch64,org.purejava.appindicator"
+          --java-options "--sun-misc-unsafe-memory-access=allow"
           --java-options "-Xss5m"
           --java-options "-Xmx256m"
-          --java-options "-Dcryptomator.appVersion=\"${SEMVER_STR}\""
+          --java-options "-Dcryptomator.appVersion=\"${{  needs.get-version.outputs.semVerStr }}\""
           --java-options "-Dfile.encoding=\"utf-8\""
           --java-options "-Djava.net.useSystemProxies=true"
-          --java-options "-Dcryptomator.adminConfigPath=\"/etc/cryptomator/config.properties\""
           --java-options "-Dcryptomator.logDir=\"@{userhome}/.local/share/Cryptomator/logs\""
+          --java-options "-Dcryptomator.pluginDir=\"@{userhome}/.local/share/Cryptomator/plugins\""
           --java-options "-Dcryptomator.settingsPath=\"@{userhome}/.config/Cryptomator/settings.json:@{userhome}/.Cryptomator/settings.json\""
           --java-options "-Dcryptomator.p12Path=\"@{userhome}/.config/Cryptomator/key.p12\""
           --java-options "-Dcryptomator.ipcSocketPath=\"@{userhome}/.config/Cryptomator/ipc.socket\""
           --java-options "-Dcryptomator.mountPointsDir=\"@{userhome}/.local/share/Cryptomator/mnt\""
           --java-options "-Dcryptomator.showTrayIcon=true"
           --java-options "-Dcryptomator.integrationsLinux.trayIconsDir=\"@{appdir}/usr/share/icons/hicolor/symbolic/apps\""
-          --java-options "-Dcryptomator.buildNumber=\"appimage-${REV_NUM}\""
+          --java-options "-Dcryptomator.buildNumber=\"appimage-${{  needs.get-version.outputs.revNum }}\""
           --java-options "-Dcryptomator.networking.truststore.p12Path=\"/etc/cryptomator/certs.p12\""
-          --java-options "-Dcryptomator.hub.enableTrustOnFirstUse=true"
-          --java-options "-XX:ErrorFile=/cryptomator/cryptomator_crash.log"
           --resource-dir dist/linux/resources
       - name: Patch Cryptomator.AppDir
         run: |
@@ -168,8 +155,7 @@ jobs:
           ln -s bin/cryptomator.sh Cryptomator.AppDir/AppRun
       - name: Download AppImageKit
         run: |
-          curl --silent --fail-with-body --proto "=https" -L "https://github.com/AppImage/appimagetool/releases/download/1.9.1/appimagetool-${{ matrix.arch }}.AppImage" -o appimagetool.AppImage
-          echo "${{ matrix.appimagetool-sha }}  appimagetool.AppImage" | shasum -a256 --check
+          curl -L https://github.com/AppImage/appimagetool/releases/download/continuous/appimagetool-${{ matrix.appimage-suffix }}.AppImage -o appimagetool.AppImage
           chmod +x appimagetool.AppImage
           ./appimagetool.AppImage --appimage-extract
       - name: Prepare GPG-Agent for signing with key 615D449FE6E6A235
@@ -181,17 +167,17 @@ jobs:
           GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
       - name: Build AppImage
         run: >
-          ./squashfs-root/AppRun Cryptomator.AppDir cryptomator-${SEMVER_STR}-${{ matrix.arch }}.AppImage
-          -u "gh-releases-zsync|cryptomator|cryptomator|latest|cryptomator-*-${{ matrix.arch }}.AppImage.zsync"
+          ./squashfs-root/AppRun Cryptomator.AppDir cryptomator-${{  needs.get-version.outputs.semVerStr }}-${{ matrix.appimage-suffix }}.AppImage
+          -u "gh-releases-zsync|cryptomator|cryptomator|latest|cryptomator-*-${{ matrix.appimage-suffix }}.AppImage.zsync"
           --sign --sign-key=615D449FE6E6A235
       - name: Create detached GPG signatures
         run: |
           gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --detach-sign -a cryptomator-*.AppImage
           gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --detach-sign -a cryptomator-*.AppImage.zsync
       - name: Upload artifacts
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@v4
         with:
-          name: appimage-${{ matrix.arch }}
+          name: appimage-${{ matrix.appimage-suffix }}
           path: |
             cryptomator-*.AppImage
             cryptomator-*.AppImage.zsync
@@ -199,7 +185,7 @@ jobs:
           if-no-files-found: error
       - name: Publish AppImage on GitHub Releases
         if: startsWith(github.ref, 'refs/tags/') && github.event.action == 'published'
-        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
+        uses: softprops/action-gh-release@v2
         with:
           fail_on_unmatched_files: true
           token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
@@ -210,77 +196,65 @@ jobs:
 
   create-aur-bin-pr:
     name: Create PR for aur-bin repo
-    if:  github.event_name == 'workflow_dispatch' && inputs.create-pr || github.event_name == 'release' && needs.get-version.outputs.versionType == 'stable'
-    runs-on: ubuntu-latest
     needs: [build, get-version]
-    container:
-      image: archlinux:base-devel
-    env:
-      SEMVER_STR: ${{ needs.get-version.outputs.semVerStr }}
-      PKGDEST: ${{ github.workspace }}/pkgdest
-      SRCDEST: ${{ github.workspace }}/srcdest
+    runs-on: ubuntu-latest
+    if: github.event_name == 'release'
     steps:
-      - name: Prepare pacman
+      - name: Download AppImages
+        uses: actions/download-artifact@v4
+        with:
+          path: downloads/
+          merge-multiple: true
+      - name: Compute sha256 hash of AppImages
+        id: checksums
         run: |
-          pacman-key --init
-          pacman-key --populate archlinux
-          pacman -Syu --noconfirm --needed git base-devel sudo gnupg maven unzip github-cli curl pacman-contrib
-      - name: Checkout cryptomator/aur-bin
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+          X64_SHA256=$(sha256sum downloads/cryptomator-*-x86_64.AppImage | cut -d ' ' -f1)
+          echo "x64-sha256sum=${X64_SHA256}" >> "$GITHUB_OUTPUT"
+          AARCH64_SHA256=$(sha256sum downloads/cryptomator-*-aarch64.AppImage | cut -d ' ' -f1)
+          echo "aarch64-sha256sum=${AARCH64_SHA256}" >> "$GITHUB_OUTPUT"
+      - uses: actions/checkout@v4
         with:
           repository: 'cryptomator/aur-bin'
           token: ${{ secrets.CRYPTOBOT_PR_TOKEN }}
-      - name: Create build user
+      - name: Install dependencies
         run: |
-          useradd -m builder
-          echo 'builder ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers.d/builder
-          chown -R builder:builder "$GITHUB_WORKSPACE"
-          install -d -m 0755 -o builder -g builder "$PKGDEST" "$SRCDEST"
-      - name: Import Cryptomator release signing key
-        # try first ubuntu. on failure try openpgp keyservers
-        run: >
-          sudo -u builder gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 58117AFA1F85B3EEC154677D615D449FE6E6A235
-          || sudo -u builder gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys 58117AFA1F85B3EEC154677D615D449FE6E6A235
+          sudo apt-get update
+          sudo apt-get -y install makepkg pacman-package-manager
       - name: Checkout release branch
         run: |
-          git config --global safe.directory '*'
-          git checkout -b "release/${SEMVER_STR}"
+          git checkout -b release/${{ needs.get-version.outputs.semVerStr }}
       - name: Update build file
         run: |
-          sed -i -e "s|^pkgver=.*$|pkgver=${SEMVER_STR}|" PKGBUILD
+          sed -i -e 's|^pkgver=.*$|pkgver=${{ needs.get-version.outputs.semVerStr }}|' PKGBUILD
           sed -i -e 's|^pkgrel=.*$|pkgrel=1|' PKGBUILD
-          sudo -u builder updpkgsums
-          sudo -u builder makepkg --printsrcinfo > .SRCINFO
-      - name: Build package with makepkg
-        run: >
-          sudo -u builder
-          env PKGDEST="$PKGDEST" SRCDEST="$SRCDEST"
-          makepkg --syncdeps --cleanbuild --noconfirm --log
+          sed -i -e "s|^sha256sums_x86_64=.*$|sha256sums_x86_64=('${{ steps.checksums.outputs.x64-sha256sum }}'|" PKGBUILD
+          sed -i -e "s|^sha256sums_aarch64=.*$|sha256sums_aarch64=('${{ steps.checksums.outputs.aarch64-sha256sum}}'|" PKGBUILD
+          makepkg --printsrcinfo > .SRCINFO
       - name: Commit and push
         run: |
-          git config user.name "cryptobot"
-          git config user.email "cryptobot@users.noreply.github.com"
+          git config user.name "${{ github.actor }}"
+          git config user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com"
           git config push.autoSetupRemote true
-          git stage PKGBUILD .SRCINFO
-          git commit -m "Prepare release ${SEMVER_STR}"
+          git stage .
+          git commit -m "Prepare release ${{needs.get-version.outputs.semVerStr}}"
           git push
       - name: Create pull request
         id: create-pr
         run: |
-          printf "Created by $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" > pr_body.md
-          PR_URL=$(gh pr create --title "Release ${SEMVER_STR}" --body-file pr_body.md)
-          echo "url=$PR_URL" >> "$GITHUB_OUTPUT"
+          printf "> [!IMPORTANT]\n> Todos:\n> - [ ] Update build instructions\n> - [ ] Check for JDK update\n> - [ ] Check for JFX update" > pr_body.md
+          URL=$(gh pr create --title "Release ${{ needs.get-version.outputs.semVerStr }}" --body-file pr_body.md)
+          echo "PR_URL=$URL" >> "$GITHUB_OUTPUT"
         env:
           GH_TOKEN: ${{ secrets.CRYPTOBOT_PR_TOKEN }}
       - name: Slack Notification
-        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3
+        uses: rtCamp/action-slack-notify@v2
         env:
-          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_CRYPTOMATOR_DESKTOP }}
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
           SLACK_USERNAME: 'Cryptobot'
           SLACK_ICON: false
           SLACK_ICON_EMOJI: ':bot:'
           SLACK_CHANNEL: 'cryptomator-desktop'
-          SLACK_TITLE: "AUR-bin release PR for ${{ github.event.repository.name }} ${{ needs.get-version.outputs.semVerStr }} created."
-          SLACK_MESSAGE: "See <${{ steps.create-pr.outputs.url }}|PR> on how to proceed."
+          SLACK_TITLE: "AUR-bin release PR for ${{ github.event.repository.name }} ${{ github.event.release.tag_name }} created."
+          SLACK_MESSAGE: "See <${{ steps.create-pr.outputs.PR_URL }}|PR> on how to proceed."
           SLACK_FOOTER: false
           MSG_MINIMAL: true

.github/workflows/aur.yml

@@ -0,0 +1,93 @@
+name: Create PR for AUR
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Release tag'
+        required: true
+
+jobs:
+  get-version:
+    uses: ./.github/workflows/get-version.yml
+    with:
+      version: ${{ inputs.tag }}
+  tarball:
+    name: Determines tarball url and compute checksum
+    runs-on: ubuntu-latest
+    needs: [get-version]
+    if:  github.event_name == 'workflow_dispatch' || needs.get-version.outputs.versionType == 'stable'
+    outputs:
+      url: ${{ steps.url.outputs.url}}
+      sha256: ${{ steps.sha256.outputs.sha256}}
+    steps:
+      - name: Determine tarball url
+        id: url
+        run: |
+          URL="";
+          if [[ -n "${{ inputs.tag }}"  ]]; then
+            URL="https://github.com/cryptomator/cryptomator/archive/refs/tags/${{ inputs.tag }}.tar.gz"
+          else
+            URL="https://github.com/cryptomator/cryptomator/archive/refs/tags/${{ github.event.release.tag_name }}.tar.gz"
+          fi
+          echo "url=${URL}" >> "$GITHUB_OUTPUT"
+      - name: Download source tarball and compute checksum
+        id: sha256
+        run: |
+          curl --silent --fail-with-body -L -H "Accept: application/vnd.github+json" ${{ steps.url.outputs.url }} --output cryptomator.tar.gz
+          TARBALL_SHA256=$(sha256sum cryptomator.tar.gz | cut -d ' ' -f1)
+          echo "sha256=${TARBALL_SHA256}" >> "$GITHUB_OUTPUT"
+  aur:
+    name: Create PR for AUR
+    runs-on: ubuntu-latest
+    needs: [tarball, get-version]
+    env:
+      AUR_PR_URL: tbd
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          repository: 'cryptomator/aur'
+          token: ${{ secrets.CRYPTOBOT_PR_TOKEN }}
+      - name: Install dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install makepkg pacman-package-manager
+      - name: Checkout release branch
+        run: |
+          git checkout -b release/${{ needs.get-version.outputs.semVerStr }}
+      - name: Update build file
+        run: |
+          sed -i -e 's|^pkgver=.*$|pkgver=${{ needs.get-version.outputs.semVerStr }}|' PKGBUILD
+          sed -i -e 's|^pkgrel=.*$|pkgrel=1|' PKGBUILD
+          sed -i -e "s|^sha256sums=.*$|sha256sums=('${{ needs.tarball.outputs.sha256 }}'|" PKGBUILD
+          makepkg --printsrcinfo > .SRCINFO
+      - name: Commit and push
+        run: |
+          git config user.name "${{ github.actor }}"
+          git config user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com"
+          git config push.autoSetupRemote true
+          git stage .
+          git commit -m "Prepare release ${{needs.get-version.outputs.semVerStr}}"
+          git push
+      - name: Create pull request
+        run: |
+          printf "> [!IMPORTANT]\n> Todos:\n> - [ ] Update build instructions\n> - [ ] Check for JDK update\n> - [ ] Check for JFX update" > pr_body.md
+          PR_URL=$(gh pr create --title "Release ${{ needs.get-version.outputs.semVerStr }}" --body-file pr_body.md)
+          echo "AUR_PR_URL=$PR_URL" >> "$GITHUB_ENV"
+        env:
+          GH_TOKEN: ${{ secrets.CRYPTOBOT_PR_TOKEN }}
+      - name: Slack Notification
+        uses: rtCamp/action-slack-notify@v2
+        if: github.event_name == 'release'
+        env:
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
+          SLACK_USERNAME: 'Cryptobot'
+          SLACK_ICON: false
+          SLACK_ICON_EMOJI: ':bot:'
+          SLACK_CHANNEL: 'cryptomator-desktop'
+          SLACK_TITLE: "AUR release PR created for ${{ github.event.repository.name }} ${{ github.event.release.tag_name }} created."
+          SLACK_MESSAGE: "See <${{ env.AUR_PR_URL }}|PR> on how to proceed."
+          SLACK_FOOTER: false
+          MSG_MINIMAL: true

.github/workflows/av-whitelist.yml

@@ -7,16 +7,6 @@ on:
         description: "Url to the file to upload"
         required: true
         type: string
-      avast:
-        description: "Upload to Avast"
-        required: false
-        type: boolean
-        default: true
-      kaspersky:
-        description: "Upload to Kaspersky"
-        required: false
-        type: boolean
-        default: true
   workflow_dispatch:
     inputs:
       url:
@@ -40,18 +30,16 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       fileName: ${{ steps.extractName.outputs.fileName}}
-    env:
-      INPUT_URL: ${{ inputs.url }}
     steps:
       - name: Extract file name
         id: extractName
         run: |
-          url="${INPUT_URL}"
+          url="${{ inputs.url }}"
           echo "fileName=${url##*/}" >> $GITHUB_OUTPUT
       - name: Download file
-        run: curl --silent --fail-with-body --proto "=https" -L "${INPUT_URL}" -o "${{steps.extractName.outputs.fileName}}"
+        run: curl --remote-name ${{ inputs.url }} -L -o ${{steps.extractName.outputs.fileName}}
       - name: Upload artifact
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@v4
         with:
           name: ${{ steps.extractName.outputs.fileName }}
           path: ${{ steps.extractName.outputs.fileName }}
@@ -60,15 +48,15 @@ jobs:
     name: Anti Virus Allowlisting Kaspersky
     runs-on: ubuntu-latest
     needs: download-file
-    if: inputs.kaspersky
+    if: github.event_name == 'workflow_call' || inputs.kaspersky
     steps:
       - name: Download artifact
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
+        uses: actions/download-artifact@v4
         with:
           name: ${{ needs.download-file.outputs.fileName }}
           path: upload
       - name: Upload to Kaspersky
-        uses: SamKirkland/FTP-Deploy-Action@a51268f67f6605236975928ae28b0f7e9971d50a # v4.6.3
+        uses: SamKirkland/FTP-Deploy-Action@v4.3.5
         with:
           protocol: ftps
           server: allowlist.kaspersky-labs.com
@@ -80,15 +68,15 @@ jobs:
     name: Anti Virus Allowlisting Avast
     runs-on: ubuntu-latest
     needs: download-file
-    if: inputs.avast
+    if: github.event_name == 'workflow_call'  || inputs.avast
     steps:
       - name: Download artifact
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
+        uses: actions/download-artifact@v4
         with:
           name: ${{ needs.download-file.outputs.fileName }}
           path: upload
-      - name: Upload to Avast
-        uses: wlixcc/SFTP-Deploy-Action@a5ccb9c6211a94cc59404f0fdb2a9936a6dfee64 # v1.2.6
+      - name: Upload to Avast 
+        uses: wlixcc/SFTP-Deploy-Action@v1.2.6
         with:
           server: whitelisting.avast.com
           port: 22

.github/workflows/build.yml

@@ -11,7 +11,7 @@ on:
 
 env:
   JAVA_DIST: 'temurin'
-  JAVA_VERSION: 25
+  JAVA_VERSION: 24
 
 defaults:
   run:
@@ -22,14 +22,14 @@ jobs:
     name: Compile and Test
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
+      - uses: actions/checkout@v4
+      - uses: actions/setup-java@v4
         with:
           distribution: ${{ env.JAVA_DIST }}
           java-version: ${{ env.JAVA_VERSION }}
           cache: 'maven'
       - name: Cache SonarCloud packages
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache@v4
         with:
           path: ~/.sonar/cache
           key: ${{ runner.os }}-sonar
@@ -37,7 +37,7 @@ jobs:
       - name: Build and Test
         run: >
           xvfb-run
-          mvn -B verify
+          mvn -B verify -Djavafx.platform=linux
           jacoco:report
           org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
           -Pcoverage
@@ -49,28 +49,28 @@ jobs:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
       - name: Draft a release
         if: startsWith(github.ref, 'refs/tags/')
-        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
+        uses: softprops/action-gh-release@v2
         with:
           draft: true
           discussion_category_name: releases
           token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
           generate_release_notes: true
           body: |-
-            > [!NOTE]
-            > 🚧 Work in Progress 🚧
-            >
-            > Please be patient, the [builds are still running](https://github.com/cryptomator/cryptomator/actions). Binary packages can be found here in a few moments.   
-            
-            <!--REPLACE with auto-generated release notes (see below)
+            :construction: Work in Progress
             ### What's New 🎉
-            ### Bugfixes 🐛
-            ### Other Changes 📎
-            END REPLACE-->
             
-            For a comprehensive view of changes, read the [CHANGELOG](https://github.com/cryptomator/cryptomator/blob/develop/CHANGELOG.md).
+            ### Bugfixes 🐛
+            
+            ### Other Changes 📎
             
             ---
             
+            TODO FULL CHANGELOG
+            
+            📜 List of closed issues is available [here](TODO)
+            
+            ---
+            ⏳ Please be patient, the builds are still [running](https://github.com/cryptomator/cryptomator/actions). New versions of Cryptomator can be found here in a few moments. ⏳
             
             <!-- Don't forget to include the
             💾 SHA-256 checksums of release artifacts:
@@ -78,9 +78,4 @@ jobs:
             ```
             -->
             
-            > [!TIP]
-            > You can verify the GPG signature of all assets using our public key: [`5811 7AFA 1F85 B3EE C154  677D 615D 449F E6E6 A235`](https://gist.github.com/cryptobot/211111cf092037490275f39d408f461a).
-            
-            
-            
-            <!-- Auto-Generated Release Notes: -->
+            As usual, the GPG signatures can be checked using [our public key `5811 7AFA 1F85 B3EE C154  677D 615D 449F E6E6 A235`](https://gist.github.com/cryptobot/211111cf092037490275f39d408f461a).

.github/workflows/check-jdk-updates.yml

@@ -6,7 +6,7 @@ on:
   workflow_dispatch:
 
 env:
-  JDK_VERSION: '25.0.1+8.0.LTS'
+  JDK_VERSION: '24.0.1+9'
   JDK_VENDOR: temurin
   RUNTIME_VERSION_HELPER: >
     public class Test {
@@ -23,10 +23,10 @@ jobs:
         JDK_MAJOR_VERSION: 'toBeFilled'
     steps:
       - name: Determine current major version
-        run: echo 'JDK_MAJOR_VERSION=${{ env.JDK_VERSION }}'.substring(0,2) >> "$env:GITHUB_ENV"
+        run: echo 'JDK_MAJOR_VERSION=${{ env.JDK_VERSION }}'.substring(0,20) >> "$env:GITHUB_ENV"
         shell: pwsh
       - name: Checkout latest JDK ${{ env.JDK_MAJOR_VERSION }}
-        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
+        uses: actions/setup-java@v4
         with:
           java-version: ${{ env.JDK_MAJOR_VERSION}}
           distribution: ${{ env.JDK_VENDOR }}
@@ -70,7 +70,7 @@ jobs:
           }
       - name: Notify
         if: steps.determine.outputs.UPDATE_AVAILABLE == 'true'
-        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3
+        uses: rtCamp/action-slack-notify@v2
         env:
           SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
           SLACK_USERNAME: 'Cryptobot'

.github/workflows/debian.yml

@@ -23,12 +23,13 @@ on:
 
 env:
   JAVA_DIST: 'temurin'
-  JAVA_VERSION: '25.0.2+10.0.LTS'
-  DEB_BUILD_DEPENDS: 'debhelper (>=10), openjdk-25-jdk (>= 25+36), libgtk-3-0 (>= 3.20.0), libxxf86vm1, libgl1'
-  OPENJFX_JMODS_AMD64: 'https://download2.gluonhq.com/openjfx/25.0.2/openjfx-25.0.2_linux-x64_bin-jmods.zip'
-  OPENJFX_JMODS_AMD64_HASH: 'e0a9c29d8cf3af9b8b48848b43f87b5785bc107c53a951b19668ce05842bba1b'
-  OPENJFX_JMODS_AARCH64: 'https://download2.gluonhq.com/openjfx/25.0.2/openjfx-25.0.2_linux-aarch64_bin-jmods.zip'
-  OPENJFX_JMODS_AARCH64_HASH: 'c3408f818693cce09e59829a8e862a82c7695fdfcd585c41cfd527f5fc3fe646'
+  JAVA_VERSION: '24.0.1+9'
+  COFFEELIBS_JDK: 24
+  COFFEELIBS_JDK_VERSION: '24.0.1+9-0ppa3'
+  OPENJFX_JMODS_AMD64: 'https://download2.gluonhq.com/openjfx/24.0.1/openjfx-24.0.1_linux-x64_bin-jmods.zip'
+  OPENJFX_JMODS_AMD64_HASH: '425fac742b9fbd095b2ce868cff82d1024620f747c94a7144d0a4879e756146c'
+  OPENJFX_JMODS_AARCH64: 'https://download2.gluonhq.com/openjfx/24.0.1/openjfx-24.0.1_linux-aarch64_bin-jmods.zip'
+  OPENJFX_JMODS_AARCH64_HASH: '7e02edd0f4ee5527a27c94b0bbba66fcaaff41009119e45d0eca0f96ddfb6e7b'
 
 jobs:
   get-version:
@@ -40,42 +41,38 @@ jobs:
     name: Build Debian Package
     runs-on: ubuntu-22.04
     needs: [get-version]
-    env:
-      INPUT_PPAVER: ${{ inputs.ppaver }}
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v4
       - id: deb-version
         name: Determine deb-version
         run: |
-          if [ -n "${INPUT_PPAVER}" ]; then
-            echo "debVersion=${INPUT_PPAVER}" >> "$GITHUB_OUTPUT"
+          if [ -n "${{inputs.ppaver}}" ]; then
+            echo "debVersion=${{inputs.ppaver }}" >> "$GITHUB_OUTPUT"
           else
             echo "debVersion=${{needs.get-version.outputs.semVerStr}}" >> "$GITHUB_OUTPUT"
           fi
       - name: Install build tools
         run: |
+          sudo add-apt-repository ppa:coffeelibs/openjdk
           sudo apt-get update
-          sudo apt-get install devscripts dput
-          sudo apt-get satisfy "${DEB_BUILD_DEPENDS}"
-        env:
-          DEB_BUILD_DEPENDS: ${{ env.DEB_BUILD_DEPENDS }}
+          sudo apt-get install debhelper devscripts dput coffeelibs-jdk-${{ env.COFFEELIBS_JDK }}=${{ env.COFFEELIBS_JDK_VERSION }}
       - name: Setup Java
-        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
+        uses: actions/setup-java@v4
         with:
           distribution: ${{ env.JAVA_DIST }}
           java-version: ${{ env.JAVA_VERSION }}
           check-latest: true
           cache: 'maven'
       - name: Run maven
-        run: mvn -B clean package -Plinux -DskipTests
+        run: mvn -B clean package -Plinux -Djavafx.platform=linux -DskipTests
       - name: Download OpenJFX jmods
         id: download-jmods
         run: |
-          curl --silent --fail-with-body --proto "=https" -L ${{ env.OPENJFX_JMODS_AMD64 }} -o openjfx-amd64.zip
+          curl -L ${{ env.OPENJFX_JMODS_AMD64 }} -o openjfx-amd64.zip
           echo "${{ env.OPENJFX_JMODS_AMD64_HASH }}  openjfx-amd64.zip" | shasum -a256 --check
           mkdir -p jmods/amd64
           unzip -j openjfx-amd64.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d jmods/amd64
-          curl --silent --fail-with-body --proto "=https" -L ${{ env.OPENJFX_JMODS_AARCH64 }} -o openjfx-aarch64.zip
+          curl -L ${{ env.OPENJFX_JMODS_AARCH64 }} -o openjfx-aarch64.zip
           echo "${{ env.OPENJFX_JMODS_AARCH64_HASH }}  openjfx-aarch64.zip" | shasum -a256 --check
           mkdir -p jmods/aarch64
           unzip -j openjfx-aarch64.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d jmods/aarch64
@@ -143,7 +140,7 @@ jobs:
         run: |
           gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --detach-sign -a cryptomator_*_amd64.deb
       - name: Upload artifacts
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@v4
         with:
           name: linux-deb-package
           path: |

.github/workflows/dependency-check.yml

@@ -7,13 +7,12 @@ on:
 
 jobs:
   check-dependencies:
-    uses: skymatic/workflows/.github/workflows/run-dependency-check.yml@957d3c2c08c56855fdac41e5afb9a7aca8c30dd9 # v3.0.3
+    uses: skymatic/workflows/.github/workflows/run-dependency-check.yml@v1
     with:
       runner-os: 'ubuntu-latest'
       java-distribution: 'temurin'
-      java-version: 25
+      java-version: 24
+      check-command: 'mvn -B validate -Pdependency-check -Djavafx.platform=linux'
     secrets:
       nvd-api-key: ${{ secrets.NVD_API_KEY }}
-      ossindex-username: ${{ secrets.OSSINDEX_USERNAME }}
-      ossindex-token: ${{ secrets.OSSINDEX_API_TOKEN }}
-      slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_CRYPTOMATOR_DESKTOP }}
+      slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}

.github/workflows/dl-stats.yml

@@ -10,7 +10,7 @@ jobs:
     steps:
       - name: Get download count of latest releases
         id: get-stats
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@v7
         with:
           script: |
             const query = `query($owner:String!, $name:String!) {
@@ -53,7 +53,7 @@ jobs:
           INTERVAL: 900
           JSON_DATA: ${{ steps.get-stats.outputs.result }}
       - name: Upload Results
-        uses: fjogeleit/http-request-action@551353b829c3646756b2ec2b3694f819d7957495 # v2.0.0
+        uses: fjogeleit/http-request-action@v1
         with:
           url: 'https://graphite-us-central1.grafana.net/metrics'
           method: 'POST'

.github/workflows/error-db.yml

@@ -14,7 +14,7 @@ jobs:
       - name: Query Discussion Data
         if: github.event_name == 'discussion_comment' || github.event_name == 'discussion' && github.event.action != 'deleted'
         id: query-data
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@v7
         with:
           script: |
             const query = `query ($owner: String!, $name: String!, $discussionNumber: Int!) {
@@ -42,7 +42,7 @@ jobs:
             return await github.graphql(query, variables)
       - name: Get Gist
         id: get-gist
-        uses: andymckay/get-gist-action@cf3bc8164af24126f7e5979eb6d3dc0c12309bd1 # not_tagged
+        uses: andymckay/get-gist-action@master
         with:
           gistURL: https://gist.github.com/cryptobot/accba9fb9555e7192271b85606f97230
       - name: Merge Error Code Data
@@ -58,7 +58,7 @@ jobs:
         env:
           DISCUSSION: ${{ steps.query-data.outputs.result }}
       - name: Patch Gist
-        uses: exuanbo/actions-deploy-gist@47697fceaeea2006a90594ee24eb9cd0a1121ef8 # v1.1.4
+        uses: exuanbo/actions-deploy-gist@v1
         with:
           token: ${{ secrets.CRYPTOBOT_GIST_TOKEN }}
           gist_id: accba9fb9555e7192271b85606f97230

.github/workflows/flathub.yml

@@ -26,14 +26,17 @@ jobs:
       - name: Determine tarball url
         id: url
         run: |
-          URL="https://github.com/cryptomator/cryptomator/archive/refs/tags/${TAG}.tar.gz"
+          URL="";
+          if [[ -n "${{ inputs.tag }}"  ]]; then
+            URL="https://github.com/cryptomator/cryptomator/archive/refs/tags/${{ inputs.tag }}.tar.gz"
+          else
+            URL="https://github.com/cryptomator/cryptomator/archive/refs/tags/${{ github.event.release.tag_name }}.tar.gz"
+          fi
           echo "url=${URL}" >> "$GITHUB_OUTPUT"
-        env:
-          TAG: ${{ inputs.tag || github.event.release.tag_name}}
       - name: Download source tarball and compute checksum
         id: sha512
         run: |
-          curl --silent --fail-with-body --proto "=https" -L -H "Accept: application/vnd.github+json" ${{ steps.url.outputs.url }} --output cryptomator.tar.gz
+          curl --silent --fail-with-body -L -H "Accept: application/vnd.github+json" ${{ steps.url.outputs.url }} --output cryptomator.tar.gz
           TARBALL_SHA512=$(sha512sum cryptomator.tar.gz | cut -d ' ' -f1)
           echo "sha512=${TARBALL_SHA512}" >> "$GITHUB_OUTPUT"
   flathub:
@@ -43,7 +46,7 @@ jobs:
     env:
       FLATHUB_PR_URL: tbd
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v4
         with:
           repository: 'flathub/org.cryptomator.Cryptomator'
           token: ${{ secrets.CRYPTOBOT_PR_TOKEN }}
@@ -71,7 +74,7 @@ jobs:
         env:
           GH_TOKEN: ${{ secrets.CRYPTOBOT_PR_TOKEN }}
       - name: Slack Notification
-        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3
+        uses: rtCamp/action-slack-notify@v2
         if: github.event_name == 'release'
         env:
           SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}

.github/workflows/get-version.yml

@@ -23,7 +23,7 @@ on:
 
 env:
   JAVA_DIST: 'temurin'
-  JAVA_VERSION: 25
+  JAVA_VERSION: 24
 
 jobs:
   determine-version:
@@ -35,11 +35,11 @@ jobs:
       revNum: ${{ steps.versions.outputs.revNum }}
       type: ${{ steps.versions.outputs.type}}
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Setup Java
-        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
+        uses: actions/setup-java@v4
         with:
           distribution: ${{ env.JAVA_DIST }}
           java-version: ${{ env.JAVA_VERSION }}
@@ -49,8 +49,8 @@ jobs:
         run: |
           if [[ $GITHUB_REF =~ refs/tags/[0-9]+\.[0-9]+\.[0-9]+.* ]]; then
             SEM_VER_STR=${GITHUB_REF##*/}
-          elif [[ "${VERSION_STRING}" =~ [0-9]+\.[0-9]+\.[0-9]+.* ]]; then
-            SEM_VER_STR="${VERSION_STRING}"
+          elif [[ "${{ inputs.version }}" =~ [0-9]+\.[0-9]+\.[0-9]+.* ]]; then
+            SEM_VER_STR="${{ inputs.version }}"
           else
             SEM_VER_STR=`mvn help:evaluate -Dexpression=project.version -q -DforceStdout`
           fi
@@ -70,9 +70,7 @@ jobs:
           echo "semVerNum=${SEM_VER_NUM}" >> $GITHUB_OUTPUT
           echo "revNum=${REVCOUNT}" >> $GITHUB_OUTPUT
           echo "type=${TYPE}" >> $GITHUB_OUTPUT
-        env:
-          VERSION_STRING: ${{ inputs.version }}
       - name: Validate Version
-        uses: skymatic/semver-validation-action@7a6ae1c9e121540d11c9c7e4e667c83d583aa153 # v3.0.0
+        uses: skymatic/semver-validation-action@v3
         with:
           version: ${{ steps.versions.outputs.semVerStr }}

.github/workflows/linux-makepkg.yml

@@ -1,200 +0,0 @@
-name: Build Arch package
-
-on:
-  release:
-    types: [published]
-  workflow_dispatch:
-    inputs:
-      version:
-        description: 'Version'
-        required: false
-      create-pr:
-          description: 'Create a PR for aur repo'
-          type: boolean
-          default: false
-  push:
-    branches-ignore:
-      - 'dependabot/**'
-    paths:
-      - '.github/workflows/linux-makepkg.yml'
-      - 'dist/linux/makepkg/**'
-      - 'dist/linux/common/**'
-      - 'dist/linux/resources/**'
-
-jobs:
-  get-version:
-    uses: ./.github/workflows/get-version.yml
-    with:
-      version: ${{ inputs.version }}
-
-  makepkg:
-    name: Build with makepkg
-    needs: [get-version]
-    runs-on: ubuntu-latest
-    container:
-      image: archlinux:base-devel
-    env:
-      PKGDEST: ${{ github.workspace }}/pkgdest
-      SRCDEST: ${{ github.workspace }}/srcdest
-    steps:
-      - name: Prepare pacman
-        run: |
-          pacman-key --init
-          pacman-key --populate archlinux
-          pacman -Syu --noconfirm --needed git base-devel sudo gnupg maven unzip
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          path: cryptomator
-      - name: Create build user
-        run: |
-          useradd -m builder
-          echo 'builder ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers.d/builder
-          chown -R builder:builder "$GITHUB_WORKSPACE"
-          install -d -m 0755 -o builder -g builder "$PKGDEST" "$SRCDEST"
-      - name: Prepare PKGBUILD
-        # cannot use github.workspace due to https://github.com/actions/runner/issues/2058
-        run: |
-          export SOURCES="${SOURCES_1}${GITHUB_WORKSPACE}${SOURCES_2}"
-          envsubst '$PKG_VERSION $PKG_RELEASE $SOURCES $SOURCES_SHA' < cryptomator/dist/linux/makepkg/PKGBUILD.template > PKGBUILD
-        env:
-          PKG_VERSION: ${{ needs.get-version.outputs.semVerNum }}
-          PKG_RELEASE: 1
-          SOURCES_1: '"${_src_app_dir}::git+file://'
-          SOURCES_2: '/cryptomator"'
-          SOURCES_SHA: "'SKIP'"
-      - name: Build package with makepkg
-        run: >
-          sudo -u builder
-          env PKGDEST="$PKGDEST" SRCDEST="$SRCDEST"
-          makepkg --syncdeps --cleanbuild --noconfirm --log
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        with:
-          name: arch-package
-          if-no-files-found: error
-          path: |
-            ${{ env.PKGDEST }}/*.pkg.tar.zst
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        with:
-          name: pkgbuild-file
-          if-no-files-found: error
-          path: |
-            cryptomator/dist/linux/makepkg/PKGBUILD.template
-
-  create-pr:
-    name: Create PR for aur repo
-    if:  github.event_name == 'workflow_dispatch' && inputs.create-pr || github.event_name == 'release' && needs.get-version.outputs.versionType == 'stable'
-    runs-on: ubuntu-latest
-    needs: [get-version, makepkg]
-    container:
-      image: archlinux:base-devel
-    env:
-      PKGDEST: ${{ github.workspace }}/pkgdest
-      SRCDEST: ${{ github.workspace }}/srcdest
-    steps:
-      - name: Prepare pacman
-        run: |
-          pacman-key --init
-          pacman-key --populate archlinux
-          pacman -Syu --noconfirm --needed git base-devel sudo gnupg maven unzip github-cli curl
-      - name: Download source tarball and compute checksum
-        id: sha256
-        run: |
-          URL="https://github.com/cryptomator/cryptomator/archive/refs/tags/${TAG}.tar.gz"
-          curl --silent --fail-with-body --proto "=https" -L -H "Accept: application/vnd.github+json" ${URL} --output cryptomator.tar.gz
-          TARBALL_SHA256=$(sha256sum cryptomator.tar.gz | cut -d ' ' -f1)
-          echo "value=${TARBALL_SHA256}" >> "$GITHUB_OUTPUT"
-        env:
-          TAG: ${{ needs.get-version.outputs.semVerStr || github.event.release.tag_name }}
-      - name: Checkout cryptomator/aur repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          repository: 'cryptomator/aur'
-          token: ${{ secrets.CRYPTOBOT_PR_TOKEN }}
-      - name: Create build user
-        run: |
-          useradd -m builder
-          echo 'builder ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers.d/builder
-          chown -R builder:builder "$GITHUB_WORKSPACE"
-          install -d -m 0755 -o builder -g builder "$PKGDEST" "$SRCDEST"
-      - name: Import Cryptomator release signing key
-        # try first ubuntu. on failure try openpgp keyservers
-        run: >
-          sudo -u builder gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 58117AFA1F85B3EEC154677D615D449FE6E6A235
-          || sudo -u builder gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys 58117AFA1F85B3EEC154677D615D449FE6E6A235
-      - name: Checkout release branch
-        run: |
-          git config --global safe.directory '*'
-          git checkout -b release/${VERSION}
-        env:
-          VERSION: ${{ needs.get-version.outputs.semVerStr }}
-      - name: Determine pkgrel
-        id: pkgrel
-        run: |
-          TARGET_VERSION='${{ needs.get-version.outputs.semVerStr }}'
-          CURRENT_VERSION="$(sed -nE 's/^pkgver=(.*)$/\1/p' PKGBUILD | head -n1)"
-          CURRENT_REL="$(sed -nE 's/^pkgrel=([0-9]+).*$/\1/p' PKGBUILD | head -n1)"
-
-          if [[ "$CURRENT_VERSION" == "$TARGET_VERSION" && "$CURRENT_REL" =~ ^[0-9]+$ ]]; then
-            NEXT_REL=$((CURRENT_REL + 1))
-          else
-            NEXT_REL=1
-          fi
-
-          echo "value=${NEXT_REL}" >> "$GITHUB_OUTPUT"
-          echo "dist-version=${VERSION}-${NEXT_REL}" >> "$GITHUB_OUTPUT"
-        env:
-          VERSION: ${{ needs.get-version.outputs.semVerStr }}
-      - name: Download PKGBUILD template
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
-        with:
-          name: pkgbuild-file
-      - name: Prepare PKGBUILD
-        run: |
-          envsubst '$PKG_VERSION $PKG_RELEASE $SOURCES $SOURCES_SHA' < PKGBUILD.template > PKGBUILD
-          sudo -u builder makepkg --printsrcinfo > .SRCINFO
-        env:
-          PKG_VERSION: ${{ needs.get-version.outputs.semVerNum }}
-          PKG_RELEASE: ${{ steps.pkgrel.outputs.value }}
-          SOURCES: |-
-            "cryptomator-${pkgver//_/-}.tar.gz::https://github.com/cryptomator/cryptomator/archive/refs/tags/${pkgver//_/-}.tar.gz"
-                    "cryptomator-${pkgver//_/-}.tar.gz.asc::https://github.com/cryptomator/cryptomator/releases/download/${pkgver//_/-}/cryptomator-${pkgver//_/-}.tar.gz.asc"
-          SOURCES_SHA: |-
-            '${{steps.sha256.outputs.value}}'
-                        'SKIP'
-      - name: Build package with makepkg
-        run: >
-          sudo -u builder
-          env PKGDEST="$PKGDEST" SRCDEST="$SRCDEST"
-          makepkg --syncdeps --cleanbuild --noconfirm --log
-      - name: Commit and push
-        run: |
-          git config user.name "cryptobot"
-          git config user.email "cryptobot@users.noreply.github.com"
-          git config push.autoSetupRemote true
-          git stage PKGBUILD .SRCINFO
-          git commit -m "Prepare release ${DIST_VERSION}"
-          git push
-        env:
-          DIST_VERSION: ${{ steps.pkgrel.outputs.dist-version }}
-      - name: Create pull request
-        id: create-pr
-        run: |
-          printf "Created by $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" > pr_body.md
-          PR_URL=$(gh pr create --title "Release $DIST_VERSION" --body-file pr_body.md)
-          echo "url=$PR_URL" >> "$GITHUB_OUTPUT"
-        env:
-          DIST_VERSION: ${{ steps.pkgrel.outputs.dist-version }}
-          GH_TOKEN: ${{ secrets.CRYPTOBOT_PR_TOKEN }}
-      - name: Slack Notification
-        if: github.event_name == 'release'
-        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3
-        env:
-          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_CRYPTOMATOR_DESKTOP }}
-          SLACK_USERNAME: 'Cryptobot'
-          SLACK_ICON: false
-          SLACK_ICON_EMOJI: ':bot:'
-          SLACK_CHANNEL: 'cryptomator-desktop'
-          SLACK_TITLE: "AUR release PR created for ${{ github.event.repository.name }} ${{ steps.pkgrel.outputs.dist-version }} ."
-          SLACK_MESSAGE: "See <${{ steps.create-pr.outputs.url }}|PR> on how to proceed."
-          SLACK_FOOTER: false
-          MSG_MINIMAL: true

.github/workflows/mac-dmg-x64.yml

@@ -24,7 +24,7 @@ on:
 
 env:
   JAVA_DIST: 'temurin'
-  JAVA_VERSION: '25.0.2+10.0.LTS'
+  JAVA_VERSION: '24.0.1+9'
 
 jobs:
   get-version:
@@ -44,12 +44,12 @@ jobs:
           architecture: x64
           output-suffix: x64
           fuse-lib: macFUSE
-          openjfx-url: 'https://download2.gluonhq.com/openjfx/25.0.2/openjfx-25.0.2_osx-x64_bin-jmods.zip'
-          openjfx-sha: '0b4d8463f03901b7425d94628e4116b7078abb8dd540fbec415266fac20bda5c'
+          openjfx-url: 'https://download2.gluonhq.com/openjfx/24.0.1/openjfx-24.0.1_osx-x64_bin-jmods.zip'
+          openjfx-sha: '6e62a426d43c168a488521f904a523f3dd6ee2cf103e08136f2fd465c828a105'
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v4
       - name: Setup Java
-        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
+        uses: actions/setup-java@v4
         with:
           distribution: ${{ env.JAVA_DIST }}
           java-version: ${{ env.JAVA_VERSION }}
@@ -59,7 +59,7 @@ jobs:
       - name: Download OpenJFX jmods
         id: download-jmods
         run: |
-          curl --silent --fail-with-body --proto "=https" -L ${{ matrix.openjfx-url }} -o openjfx-jmods.zip
+          curl -L ${{ matrix.openjfx-url }} -o openjfx-jmods.zip
           echo "${{ matrix.openjfx-sha }} *openjfx-jmods.zip" | shasum -a256 --check
           mkdir -p openjfx-jmods/
           unzip -jo openjfx-jmods.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d openjfx-jmods
@@ -79,7 +79,7 @@ jobs:
       - name: Set version
         run : mvn versions:set -DnewVersion=${{ needs.get-version.outputs.semVerStr }}
       - name: Run maven
-        run: mvn -B clean package -Pmac -DskipTests
+        run: mvn -B -Djavafx.platform=mac clean package -Pmac -DskipTests
       - name: Patch target dir
         run: |
           cp LICENSE.txt target
@@ -99,7 +99,7 @@ jobs:
           --verbose
           --output runtime
           --module-path "${{ steps.jep-493-check.outputs.jmod_paths }}"
-          --add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,javafx.base,javafx.graphics,javafx.controls,javafx.fxml,jdk.crypto.cryptoki,jdk.crypto.ec,jdk.unsupported,jdk.accessibility,jdk.management.jfr,java.compiler
+          --add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,javafx.base,javafx.graphics,javafx.controls,javafx.fxml,jdk.unsupported,jdk.accessibility,jdk.management.jfr,java.compiler
           --strip-native-commands
           --no-header-files
           --no-man-pages
@@ -121,6 +121,7 @@ jobs:
           --app-version "${{ needs.get-version.outputs.semVerNum }}"
           --java-options "--enable-preview"
           --java-options "--enable-native-access=javafx.graphics,org.cryptomator.jfuse.mac"
+          --java-options "--sun-misc-unsafe-memory-access=allow"
           --java-options "-Xss5m"
           --java-options "-Xmx256m"
           --java-options "-Dfile.encoding=\"utf-8\""
@@ -128,24 +129,21 @@ jobs:
           --java-options "-Dapple.awt.enableTemplateImages=true"
           --java-options "-Dsun.java2d.metal=true"
           --java-options "-Dcryptomator.appVersion=\"${{ needs.get-version.outputs.semVerStr }}\""
-          --java-options "-Dcryptomator.adminConfigPath=\"/Library/Application Support/Cryptomator/config.properties\""
           --java-options "-Dcryptomator.logDir=\"@{userhome}/Library/Logs/Cryptomator\""
+          --java-options "-Dcryptomator.pluginDir=\"@{userhome}/Library/Application Support/Cryptomator/Plugins\""
           --java-options "-Dcryptomator.settingsPath=\"@{userhome}/Library/Application Support/Cryptomator/settings.json\""
           --java-options "-Dcryptomator.p12Path=\"@{userhome}/Library/Application Support/Cryptomator/key.p12\""
           --java-options "-Dcryptomator.ipcSocketPath=\"@{userhome}/Library/Application Support/Cryptomator/ipc.socket\""
           --java-options "-Dcryptomator.integrationsMac.keychainServiceName=\"Cryptomator\""
           --java-options "-Dcryptomator.mountPointsDir=\"@{userhome}/Library/Application Support/Cryptomator/mnt\""
           --java-options "-Dcryptomator.showTrayIcon=true"
-          --java-options "-Dcryptomator.updateMechanism=org.cryptomator.macos.update.DmgUpdateMechanism"
           --java-options "-Dcryptomator.buildNumber=\"dmg-${{ needs.get-version.outputs.revNum }}\""
-          --java-options "-Dcryptomator.hub.enableTrustOnFirstUse=true"
           --mac-package-identifier org.cryptomator
           --resource-dir dist/mac/resources
       - name: Patch Cryptomator.app
         run: |
           mv appdir/Cryptomator.app Cryptomator.app
           mv dist/mac/resources/Cryptomator-Vault.icns Cryptomator.app/Contents/Resources/
-          cp dist/mac/resources/Assets.car Cryptomator.app/Contents/Resources/
           sed -i '' "s|###BUNDLE_SHORT_VERSION_STRING###|${VERSION_NO}|g" Cryptomator.app/Contents/Info.plist
           sed -i '' "s|###BUNDLE_VERSION###|${REVISION_NO}|g" Cryptomator.app/Contents/Info.plist
           echo -n "$PROVISIONING_PROFILE_BASE64" | base64 --decode --output Cryptomator.app/Contents/embedded.provisionprofile
@@ -155,7 +153,7 @@ jobs:
           PROVISIONING_PROFILE_BASE64: ${{ secrets.MACOS_PROVISIONING_PROFILE_BASE64 }}
       - name: Generate license for dmg
         run: >
-          mvn -B license:add-third-party
+          mvn -B -Djavafx.platform=mac license:add-third-party
           -Dlicense.thirdPartyFilename=license.rtf
           -Dlicense.outputDirectory=dist/mac/dmg/resources
           -Dlicense.fileTemplate=dist/mac/dmg/resources/licenseTemplate.ftl
@@ -250,7 +248,7 @@ jobs:
           CODESIGN_IDENTITY: ${{ secrets.MACOS_CODESIGN_IDENTITY }}
       - name: Notarize .dmg
         if: startsWith(github.ref, 'refs/tags/') || inputs.notarize
-        uses: cocoalibs/xcode-notarization-action@5cf433d494b6fa26504b574c591f4dd120388846 # v1.0.3
+        uses: cocoalibs/xcode-notarization-action@v1
         with:
           app-path: 'Cryptomator-*.dmg'
           apple-id: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }}
@@ -271,7 +269,7 @@ jobs:
         run: security delete-keychain $RUNNER_TEMP/codesign.keychain-db
         continue-on-error: true
       - name: Upload artifacts
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@v4
         with:
           name: dmg-${{ matrix.output-suffix }}
           path: |
@@ -280,7 +278,7 @@ jobs:
           if-no-files-found: error
       - name: Publish dmg on GitHub Releases
         if: startsWith(github.ref, 'refs/tags/') && github.event.action == 'published'
-        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
+        uses: softprops/action-gh-release@v2
         with:
           fail_on_unmatched_files: true
           token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}

.github/workflows/mac-dmg.yml

@@ -22,7 +22,7 @@ on:
 
 env:
   JAVA_DIST: 'temurin'
-  JAVA_VERSION: '25.0.2+10.0.LTS'
+  JAVA_VERSION: '24.0.1+9'
 
 jobs:
   get-version:
@@ -42,12 +42,12 @@ jobs:
           architecture: aarch64
           output-suffix: arm64
           fuse-lib: FUSE-T
-          openjfx-url: 'https://download2.gluonhq.com/openjfx/25.0.2/openjfx-25.0.2_osx-aarch64_bin-jmods.zip'
-          openjfx-sha: '4cd258001c75af7047005c5c891e2400ed11d24fbb09412324c0cbaf8b503c5a'
+          openjfx-url: 'https://download2.gluonhq.com/openjfx/24.0.1/openjfx-24.0.1_osx-aarch64_bin-jmods.zip'
+          openjfx-sha: 'b5a94a13077507003fa852512bfa33f4fb680bc8076d8002e4227a84c85171d4'
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v4
       - name: Setup Java
-        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
+        uses: actions/setup-java@v4
         with:
           distribution: ${{ env.JAVA_DIST }}
           java-version: ${{ env.JAVA_VERSION }}
@@ -57,7 +57,7 @@ jobs:
       - name: Download OpenJFX jmods
         id: download-jmods
         run: |
-          curl --silent --fail-with-body --proto "=https" -L ${{ matrix.openjfx-url }} -o openjfx-jmods.zip
+          curl -L ${{ matrix.openjfx-url }} -o openjfx-jmods.zip
           echo "${{ matrix.openjfx-sha }} *openjfx-jmods.zip" | shasum -a256 --check
           mkdir -p openjfx-jmods/
           unzip -jo openjfx-jmods.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d openjfx-jmods
@@ -77,7 +77,7 @@ jobs:
       - name: Set version
         run : mvn versions:set -DnewVersion=${{ needs.get-version.outputs.semVerStr }}
       - name: Run maven
-        run: mvn -B clean package -Pmac -DskipTests
+        run: mvn -B -Djavafx.platform=mac clean package -Pmac -DskipTests
       - name: Patch target dir
         run: |
           cp LICENSE.txt target
@@ -97,7 +97,7 @@ jobs:
           --verbose
           --output runtime
           --module-path "${{ steps.jep-493-check.outputs.jmod_paths }}"
-          --add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,javafx.base,javafx.graphics,javafx.controls,javafx.fxml,jdk.crypto.cryptoki,jdk.crypto.ec,jdk.unsupported,jdk.accessibility,jdk.management.jfr,java.compiler
+          --add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,javafx.base,javafx.graphics,javafx.controls,javafx.fxml,jdk.unsupported,jdk.accessibility,jdk.management.jfr,java.compiler
           --strip-native-commands
           --no-header-files
           --no-man-pages
@@ -119,6 +119,7 @@ jobs:
           --app-version "${{ needs.get-version.outputs.semVerNum }}"
           --java-options "--enable-preview"
           --java-options "--enable-native-access=javafx.graphics,org.cryptomator.jfuse.mac"
+          --java-options "--sun-misc-unsafe-memory-access=allow"
           --java-options "-Xss5m"
           --java-options "-Xmx256m"
           --java-options "-Dfile.encoding=\"utf-8\""
@@ -126,25 +127,21 @@ jobs:
           --java-options "-Dapple.awt.enableTemplateImages=true"
           --java-options "-Dsun.java2d.metal=true"
           --java-options "-Dcryptomator.appVersion=\"${{ needs.get-version.outputs.semVerStr }}\""
-          --java-options "-Dcryptomator.adminConfigPath=\"/Library/Application Support/Cryptomator/config.properties\""
           --java-options "-Dcryptomator.logDir=\"@{userhome}/Library/Logs/Cryptomator\""
+          --java-options "-Dcryptomator.pluginDir=\"@{userhome}/Library/Application Support/Cryptomator/Plugins\""
           --java-options "-Dcryptomator.settingsPath=\"@{userhome}/Library/Application Support/Cryptomator/settings.json\""
           --java-options "-Dcryptomator.p12Path=\"@{userhome}/Library/Application Support/Cryptomator/key.p12\""
           --java-options "-Dcryptomator.ipcSocketPath=\"@{userhome}/Library/Application Support/Cryptomator/ipc.socket\""
           --java-options "-Dcryptomator.integrationsMac.keychainServiceName=\"Cryptomator\""
           --java-options "-Dcryptomator.mountPointsDir=\"@{userhome}/Library/Application Support/Cryptomator/mnt\""
           --java-options "-Dcryptomator.showTrayIcon=true"
-          --java-options "-Dcryptomator.updateMechanism=org.cryptomator.macos.update.DmgUpdateMechanism"
           --java-options "-Dcryptomator.buildNumber=\"dmg-${{ needs.get-version.outputs.revNum }}\""
-          --java-options "-XX:ErrorFile=/cryptomator/cryptomator_crash.log"
-          --java-options "-Dcryptomator.hub.enableTrustOnFirstUse=true"
           --mac-package-identifier org.cryptomator
           --resource-dir dist/mac/resources
       - name: Patch Cryptomator.app
         run: |
           mv appdir/Cryptomator.app Cryptomator.app
           mv dist/mac/resources/Cryptomator-Vault.icns Cryptomator.app/Contents/Resources/
-          cp dist/mac/resources/Assets.car Cryptomator.app/Contents/Resources/
           sed -i '' "s|###BUNDLE_SHORT_VERSION_STRING###|${VERSION_NO}|g" Cryptomator.app/Contents/Info.plist
           sed -i '' "s|###BUNDLE_VERSION###|${REVISION_NO}|g" Cryptomator.app/Contents/Info.plist
           echo -n "$PROVISIONING_PROFILE_BASE64" | base64 --decode --output Cryptomator.app/Contents/embedded.provisionprofile
@@ -154,7 +151,7 @@ jobs:
           PROVISIONING_PROFILE_BASE64: ${{ secrets.MACOS_PROVISIONING_PROFILE_BASE64 }}
       - name: Generate license for dmg
         run: >
-          mvn -B license:add-third-party
+          mvn -B -Djavafx.platform=mac license:add-third-party
           -Dlicense.thirdPartyFilename=license.rtf
           -Dlicense.outputDirectory=dist/mac/dmg/resources
           -Dlicense.fileTemplate=dist/mac/dmg/resources/licenseTemplate.ftl
@@ -249,7 +246,7 @@ jobs:
           CODESIGN_IDENTITY: ${{ secrets.MACOS_CODESIGN_IDENTITY }}
       - name: Notarize .dmg
         if: startsWith(github.ref, 'refs/tags/') || inputs.notarize
-        uses: cocoalibs/xcode-notarization-action@5cf433d494b6fa26504b574c591f4dd120388846 # v1.0.3
+        uses: cocoalibs/xcode-notarization-action@v1
         with:
           app-path: 'Cryptomator-*.dmg'
           apple-id: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }}
@@ -270,7 +267,7 @@ jobs:
         run: security delete-keychain $RUNNER_TEMP/codesign.keychain-db
         continue-on-error: true
       - name: Upload artifacts
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@v4
         with:
           name: dmg-${{ matrix.output-suffix }}
           path: |
@@ -279,7 +276,7 @@ jobs:
           if-no-files-found: error
       - name: Publish dmg on GitHub Releases
         if: startsWith(github.ref, 'refs/tags/') && github.event.action == 'published'
-        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
+        uses: softprops/action-gh-release@v2
         with:
           fail_on_unmatched_files: true
           token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}

.github/workflows/no-response.yml

@@ -12,7 +12,7 @@ jobs:
       issues: write
       pull-requests: write
     steps:
-      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
+      - uses: actions/stale@v9
         with:
           days-before-stale: 14
           days-before-close: 0

.github/workflows/post-publish.yml

@@ -10,7 +10,7 @@ jobs:
     steps:
       - name: Download source tarball
         run: |
-          curl --silent --fail-with-body --proto "=https" -L -H "Accept: application/vnd.github+json" https://github.com/cryptomator/cryptomator/archive/refs/tags/${{ github.event.release.tag_name }}.tar.gz --output cryptomator-${{ github.event.release.tag_name }}.tar.gz
+          curl -L -H "Accept: application/vnd.github+json" https://github.com/cryptomator/cryptomator/archive/refs/tags/${{ github.event.release.tag_name }}.tar.gz --output cryptomator-${{ github.event.release.tag_name }}.tar.gz
       - name: Sign source tarball with key 615D449FE6E6A235
         run: |
           echo "${GPG_PRIVATE_KEY}" | gpg --batch --quiet --import
@@ -19,16 +19,16 @@ jobs:
           GPG_PRIVATE_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }}
           GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
       - name: Publish asc on GitHub Releases
-        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
+        uses: softprops/action-gh-release@v2
         with:
           fail_on_unmatched_files: true
           token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
           files: |
             cryptomator-*.tar.gz.asc
       - name: Slack Notification
-        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3
+        uses: rtCamp/action-slack-notify@v2
         env:
-          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_CRYPTOMATOR_DESKTOP }}
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
           SLACK_USERNAME: 'Cryptobot'
           SLACK_ICON: false
           SLACK_ICON_EMOJI: ':bot:'

.github/workflows/pullrequest.yml

@@ -5,7 +5,7 @@ on:
 
 env:
   JAVA_DIST: 'temurin'
-  JAVA_VERSION: 25
+  JAVA_VERSION: 24
 
 defaults:
   run:
@@ -16,11 +16,11 @@ jobs:
     name: Compile and Test
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
+      - uses: actions/checkout@v4
+      - uses: actions/setup-java@v4
         with:
           distribution: ${{ env.JAVA_DIST }}
           java-version: ${{ env.JAVA_VERSION }}
           cache: 'maven'
       - name: Build and Test
-        run: xvfb-run mvn -B clean install jacoco:report -Pcoverage
+        run: xvfb-run mvn -B clean install jacoco:report -Pcoverage -Djavafx.platform=linux

.github/workflows/release-check.yml

@@ -12,16 +12,16 @@ defaults:
 
 env:
   JAVA_DIST: 'temurin'
-  JAVA_VERSION: 25
+  JAVA_VERSION: 23
 
 jobs:
   check-preconditions:
     name: Validate commits pushed to release/hotfix branch to fulfill release requirements
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v4
       - name: Setup Java
-        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
+        uses: actions/setup-java@v4
         with:
           distribution: ${{ env.JAVA_DIST }}
           java-version: ${{ env.JAVA_VERSION }}
@@ -43,14 +43,13 @@ jobs:
             exit 1
           fi
       - name: Validate release in org.cryptomator.Cryptomator.metainfo.xml file
-        if: ${{ ! (contains(github.event.head_commit.message, '[skip metadata check]') || contains(github.event.head_commit.message, '[metadata check skip]')) }}
         run: |
           if ! grep -q "<release date=\".*\" version=\"${{ steps.validate-pom-version.outputs.semVerStr }}\">" dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml; then
             echo "Release not set in dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml"
             exit 1
           fi
       - name: Cache NVD DB
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache@v4
         with:
           path: ~/.m2/repository/org/owasp/dependency-check-data/
           key: dependency-check-${{ github.run_id }}
@@ -61,6 +60,6 @@ jobs:
       - name: Run org.owasp:dependency-check plugin
         id: dependency-check
         continue-on-error: true
-        run: mvn -B verify -Pdependency-check -DskipTests
+        run: mvn -B verify -Pdependency-check -DskipTests -Djavafx.platform=linux
         env:
           NVD_API_KEY: ${{ secrets.NVD_API_KEY }}

.github/workflows/stale.yml

@@ -12,7 +12,7 @@ jobs:
       issues: write
       pull-requests: write
     steps:
-      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
+      - uses: actions/stale@v9
         with:
           days-before-stale: 365
           days-before-close: 90

.github/workflows/win-exe.yml

@@ -8,9 +8,8 @@ on:
       version:
         description: 'Version'
         required: false
-      sign:
-        description: 'Sign binaries'
-        required: false
+      isDebug:
+        description: 'Build debug version with console output'
         type: boolean
         default: false
   push:
@@ -22,12 +21,11 @@ on:
 
 
 env:
-  OPENJFX_JMODS_AMD64: 'https://download2.gluonhq.com/openjfx/25.0.2/openjfx-25.0.2_windows-x64_bin-jmods.zip'
-  OPENJFX_JMODS_AMD64_HASH: '33d878dfac85590c4d77c518ed413e512d34a8479d90132b230a7ddd173576b3'
+  OPENJFX_JMODS_AMD64: 'https://download2.gluonhq.com/openjfx/24.0.1/openjfx-24.0.1_windows-x64_bin-jmods.zip'
+  OPENJFX_JMODS_AMD64_HASH: 'f13d17c7caf88654fc835f1b4e75a9b0f34a888eb8abef381796c0002e63b03f'
   WINFSP_MSI: 'https://github.com/winfsp/winfsp/releases/download/v2.1/winfsp-2.1.25156.msi'
   WINFSP_MSI_HASH: '073a70e00f77423e34bed98b86e600def93393ba5822204fac57a29324db9f7a'
   WINFSP_UNINSTALLER: 'https://github.com/cryptomator/winfsp-uninstaller/releases/latest/download/winfsp-uninstaller.exe'
-  WIX_VERSION: '6.0.2'
 
 defaults:
   run:
@@ -48,13 +46,21 @@ jobs:
         include:
           - arch: x64
             os: windows-latest
-            java-dist: 'zulu' #cannot use temurin, see https://github.com/cryptomator/cryptomator/issues/3824#issuecomment-2829827427
-            java-version: '25.0.1+8'
+            java-dist: 'zulu'
+            java-version: '24.0.1+9'
             java-package: 'jdk'
+          - arch: arm64
+            os: windows-11-arm
+            java-dist: 'liberica'
+            java-version: '24.0.1+11'
+            java-package: 'jdk+fx' #This is needed, as liberica contains JFX 24 Jmods for Windows ARM64
+    env:
+      LOOPBACK_ALIAS: 'cryptomator-vault'
+      WIN_CONSOLE_FLAG: ''
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v4
       - name: Setup Java
-        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
+        uses: actions/setup-java@v4
         with:
           distribution: ${{ matrix.java-dist }}
           java-version: ${{ matrix.java-version }}
@@ -63,16 +69,14 @@ jobs:
           cache: 'maven'
       - name: Install wix and extensions
         run: |
-          dotnet tool install --global wix --version ${WIX_VERSION}
-          wix.exe extension add --global WixToolset.UI.wixext/${WIX_VERSION}
-          wix.exe extension add --global WixToolset.Util.wixext/${WIX_VERSION}
-        env:
-          WIX_VERSION: ${{ env.WIX_VERSION }}
+          dotnet tool install --global wix --version 6.0.0
+          wix.exe extension add WixToolset.UI.wixext/6.0.0 --global
+          wix.exe extension add WixToolset.Util.wixext/6.0.0 --global
       - name: Download and extract JavaFX jmods from Gluon
         if: matrix.arch == 'x64'
         #In the last step we move all jmods files a dir level up because jmods are placed inside a directory in the zip
         run: |
-          curl --silent --fail-with-body --proto "=https" -L "${{ env.OPENJFX_JMODS_AMD64 }}" --output openjfx-jmods.zip
+          curl --output openjfx-jmods.zip -L "${{ env.OPENJFX_JMODS_AMD64 }}"
           if(!(Get-FileHash -Path openjfx-jmods.zip -Algorithm SHA256).Hash.ToLower().equals("${{ env.OPENJFX_JMODS_AMD64_HASH }}")) {
             throw "Wrong checksum of JMOD archive downloaded from ${{ env.OPENJFX_JMODS_AMD64 }}.";
           }
@@ -96,7 +100,7 @@ jobs:
       - name: Set version
         run: mvn versions:set -DnewVersion=${{ needs.get-version.outputs.semVerStr }}
       - name: Run maven
-        run: mvn -B clean package -Pwin -DskipTests
+        run: mvn -B clean package -Pwin -DskipTests -Djavafx.platform=win
       - name: Patch target dir
         run: |
           cp LICENSE.txt target
@@ -116,7 +120,7 @@ jobs:
           --verbose
           --output runtime
           --module-path "${{ steps.jep-493-check.outputs.jmod_paths }}"
-          --add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,javafx.base,javafx.graphics,javafx.controls,javafx.fxml,jdk.crypto.cryptoki,jdk.crypto.ec,jdk.crypto.mscapi,jdk.unsupported,jdk.accessibility,jdk.management.jfr,java.compiler
+          --add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,javafx.base,javafx.graphics,javafx.controls,javafx.fxml,jdk.crypto.mscapi,jdk.unsupported,jdk.accessibility,jdk.management.jfr,java.compiler
           --strip-native-commands
           --no-header-files
           --no-man-pages
@@ -138,36 +142,45 @@ jobs:
           --app-version "${{ needs.get-version.outputs.semVerNum }}.${{ needs.get-version.outputs.revNum }}"
           --java-options "--enable-preview"
           --java-options "--enable-native-access=javafx.graphics,org.cryptomator.jfuse.win,org.cryptomator.integrations.win"
+          --java-options "--sun-misc-unsafe-memory-access=allow"
           --java-options "-Xss5m"
           --java-options "-Xmx256m"
           --java-options "-Dcryptomator.appVersion=\"${{ needs.get-version.outputs.semVerStr }}\""
           --java-options "-Dfile.encoding=\"utf-8\""
           --java-options "-Djava.net.useSystemProxies=true"
-          --java-options "-Dcryptomator.adminConfigPath=\"C:/ProgramData/Cryptomator/config.properties\""
           --java-options "-Dcryptomator.logDir=\"@{localappdata}/Cryptomator\""
+          --java-options "-Dcryptomator.pluginDir=\"@{appdata}/Cryptomator/Plugins\""
           --java-options "-Dcryptomator.settingsPath=\"@{appdata}/Cryptomator/settings.json;@{userhome}/AppData/Roaming/Cryptomator/settings.json\""
           --java-options "-Dcryptomator.p12Path=\"@{appdata}/Cryptomator/key.p12;@{userhome}/AppData/Roaming/Cryptomator/key.p12\""
           --java-options "-Dcryptomator.ipcSocketPath=\"@{localappdata}/Cryptomator/ipc.socket\""
           --java-options "-Dcryptomator.mountPointsDir=\"@{userhome}/Cryptomator\""
-          --java-options "-Dcryptomator.loopbackAlias=\"cryptomator-vault\""
+          --java-options "-Dcryptomator.loopbackAlias=\"${{ env.LOOPBACK_ALIAS }}\""
           --java-options "-Dcryptomator.showTrayIcon=true"
           --java-options "-Dcryptomator.buildNumber=\"msi-${{ needs.get-version.outputs.revNum }}\""
           --java-options "-Dcryptomator.integrationsWin.autoStartShellLinkName=\"Cryptomator\""
           --java-options "-Dcryptomator.integrationsWin.keychainPaths=\"@{appdata}/Cryptomator/keychain.json;@{userhome}/AppData/Roaming/Cryptomator/keychain.json\""
           --java-options "-Dcryptomator.integrationsWin.windowsHelloKeychainPaths=\"@{appdata}/Cryptomator/windowsHelloKeychain.json\""
-          --java-options "-Dcryptomator.disableUpdateCheck=false"
-          --java-options "-XX:ErrorFile=C:/cryptomator/cryptomator_crash.log"
-          --java-options "-Dcryptomator.hub.enableTrustOnFirstUse=true"
+          --java-options "-Djavafx.verbose=${{ inputs.isDebug }}"
           --resource-dir dist/win/resources
           --icon dist/win/resources/Cryptomator.ico
-          --add-launcher "Cryptomator (Debug)=dist/win/debug-launcher.properties"
+          --add-launcher "Debug_Cryptomator=dist/win/debug-launcher.properties"
       - name: Patch Application Directory
         run: |
           cp dist/win/contrib/* appdir/Cryptomator
+      - name: Set LOOPBACK_ALIAS in patchWebDAV.bat
+        shell: pwsh
+        run: |
+          $patchScript = "appdir\Cryptomator\patchWebDAV.bat"
+          try {
+            (Get-Content $patchScript ) -replace '::REPLACE ME', "SET LOOPBACK_ALIAS=`"${{ env.LOOPBACK_ALIAS}}`"" | Set-Content $patchScript
+          } catch {
+            Write-Host "Failed to set LOOPBACK_ALIAS for patchWebDAV.bat"
+            exit 1
+          }
       - name: Fix permissions
         run: |
           attrib -r appdir/Cryptomator/Cryptomator.exe
-          attrib -r "appdir/Cryptomator/Cryptomator (Debug).exe"
+          attrib -r appdir/Cryptomator/Debug_Cryptomator.exe
         shell: pwsh
       - name: Extract jars with DLLs for Codesigning
         shell: pwsh
@@ -192,27 +205,16 @@ jobs:
           New-Item -Path appdir/jpackage-jmod -ItemType Directory
           & $env:JAVA_HOME\bin\jmod.exe extract --dir jpackage-jmod "${env:JAVA_HOME}\jmods\jdk.jpackage.jmod"
           Get-ChildItem -Recurse -Path "jpackage-jmod" -File wixhelper.dll | Select-Object -Last 1 | Copy-Item -Destination "appdir"
-      - name: Sign DLLs with Azure Trusted Signing
-        if: inputs.sign || github.event_name == 'release'
-        uses: ./.github/actions/win-sign-action
+      - name: Codesign
+        uses: skymatic/code-sign-action@v3
         with:
-          base-dir: ${{ github.workspace }}\appdir
+          certificate: ${{ secrets.WIN_CODESIGN_P12_BASE64 }}
+          password: ${{ secrets.WIN_CODESIGN_P12_PW }}
+          certificatesha1: 5FC94CE149E5B511E621F53A060AC67CBD446B3A
+          description: Cryptomator
+          timestampUrl: 'http://timestamp.digicert.com'
+          folder: appdir
           recursive: true
-          append-signature: true
-          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
-          client-id: ${{ secrets.AZURE_CLIENT_ID }}
-          client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
-      - name: Sign DLLs with Actalis CodeSigner
-        if: inputs.sign || github.event_name == 'release'
-        uses: skymatic/workflows/.github/actions/win-sign-action@957d3c2c08c56855fdac41e5afb9a7aca8c30dd9 # no specific version
-        with:
-          base-dir: 'appdir'
-          file-extensions: 'dll,exe,ps1'
-          recursive: true
-          sign-description: 'Cryptomator'
-          sign-url: 'https://cryptomator.org'
-          username: ${{ secrets.WIN_CODESIGN_USERNAME }}
-          password: ${{ secrets.WIN_CODESIGN_PW }}
       - name: Replace DLLs inside jars with signed ones
         shell: pwsh
         run: |
@@ -229,7 +231,7 @@ jobs:
           }
       - name: Generate license for MSI
         run: >
-          mvn -B license:add-third-party
+          mvn -B license:add-third-party "-Djavafx.platform=win"
           "-Dlicense.thirdPartyFilename=license.rtf"
           "-Dlicense.outputDirectory=dist/win/resources"
           "-Dlicense.fileTemplate=dist/win/resources/licenseTemplate.ftl"
@@ -261,16 +263,15 @@ jobs:
         env:
           JP_WIXWIZARD_RESOURCES: ${{ github.workspace }}/dist/win/resources # requires abs path, used in resources/main.wxs
           JP_WIXHELPER_DIR: ${{ github.workspace }}\appdir
-      - name: Sign MSI with Azure Trusted Signing
-        if: inputs.sign || github.event_name == 'release'
-        uses: ./.github/actions/win-sign-action
+      - name: Codesign MSI
+        uses: skymatic/code-sign-action@v3
         with:
-          base-dir: ${{ github.workspace }}\installer
-          file-extensions: msi
-          description: 'Cryptomator Installer'
-          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
-          client-id: ${{ secrets.AZURE_CLIENT_ID }}
-          client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
+          certificate: ${{ secrets.WIN_CODESIGN_P12_BASE64 }}
+          password: ${{ secrets.WIN_CODESIGN_P12_PW }}
+          certificatesha1: 5FC94CE149E5B511E621F53A060AC67CBD446B3A
+          description: Cryptomator Installer
+          timestampUrl: 'http://timestamp.digicert.com'
+          folder: installer
       - name: Add possible alpha/beta tags and architecture to installer name
         run: mv installer/Cryptomator-*.msi Cryptomator-${{ needs.get-version.outputs.semVerStr }}-${{ matrix.arch }}.msi
       - name: Create detached GPG signature with key 615D449FE6E6A235
@@ -281,7 +282,7 @@ jobs:
           GPG_PRIVATE_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }}
           GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
       - name: Upload artifacts
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@v4
         with:
           name: msi-${{ matrix.arch }}
           path: |
@@ -302,24 +303,28 @@ jobs:
             java-dist: 'zulu'
             java-version: '24.0.1+9'
             java-package: 'jdk'
+          - arch: arm64
+            os: windows-11-arm
+            executable-suffix: arm64
+            java-dist: 'liberica'
+            java-version: '24.0.1+11'
+            java-package: 'jdk+fx' #This is needed, as liberica contains JFX 24 Jmods for Windows ARM64
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v4
       - name: Install wix and extensions
         run: |
-          dotnet tool install --global wix --version ${WIX_VERSION}
-          wix.exe extension add --global WixToolset.BootstrapperApplications.wixext/${WIX_VERSION}
-          wix.exe extension add --global WixToolset.Util.wixext/${WIX_VERSION}
-        env:
-          WIX_VERSION: ${{ env.WIX_VERSION }}
+          dotnet tool install --global wix --version 6.0.0
+          wix.exe extension add WixToolset.BootstrapperApplications.wixext/6.0.0 --global
+          wix.exe extension add WixToolset.Util.wixext/6.0.0 --global
       - name: Download .msi
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
+        uses: actions/download-artifact@v4
         with:
           name: msi-${{ matrix.arch }}
           path: dist/win/bundle/resources
       - name: Strip version info from msi file name
         run: mv dist/win/bundle/resources/Cryptomator*.msi dist/win/bundle/resources/Cryptomator.msi
       - name: Setup Java
-        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
+        uses: actions/setup-java@v4
         with:
           distribution: ${{ matrix.java-dist }}
           java-version: ${{ matrix.java-version }}
@@ -328,7 +333,7 @@ jobs:
           cache: 'maven'
       - name: Generate license for exe
         run: >
-          mvn -B license:add-third-party
+          mvn -B license:add-third-party "-Djavafx.platform=win"
           "-Dlicense.thirdPartyFilename=license.rtf"
           "-Dlicense.fileTemplate=dist/win/bundle/resources/licenseTemplate.ftl"
           "-Dlicense.outputDirectory=dist/win/bundle/resources"
@@ -339,7 +344,7 @@ jobs:
         shell: pwsh
       - name: Download WinFsp
         run: |
-          curl --silent --fail-with-body --proto "=https" -L ${{ env.WINFSP_MSI }} --output $env:WINFSP_PATH
+          curl --output $env:WINFSP_PATH -L ${{ env.WINFSP_MSI }}
           $computedHash = (Get-FileHash -Path $env:WINFSP_PATH -Algorithm SHA256).Hash.ToLower()
           if ($computedHash -ne "${{ env.WINFSP_MSI_HASH }}") {
             throw "Checksum mismatch for $env:WINFSP_PATH (expected ${{ env.WINFSP_MSI_HASH }}, got $computedHash)."
@@ -349,7 +354,7 @@ jobs:
         shell: pwsh
       - name: Download Legacy-WinFsp uninstaller
         run: |
-          curl --silent --fail-with-body --proto "=https" -L ${{ env.WINFSP_UNINSTALLER }} --output dist/win/bundle/resources/winfsp-uninstaller.exe
+          curl --output dist/win/bundle/resources/winfsp-uninstaller.exe -L ${{ env.WINFSP_UNINSTALLER }}
         shell: pwsh
       - name: Create Wix Burn bundle
         working-directory: dist/win
@@ -369,51 +374,27 @@ jobs:
       - name: Detach burn engine in preparation to sign
         run: >
           wix burn detach installer/unsigned/Cryptomator-Installer.exe -engine tmp/engine.exe
-      - name: Sign WiX burn engine with Azure Trusted Signing
-        if: inputs.sign || github.event_name == 'release'
-        uses: ./.github/actions/win-sign-action
+      - name: Codesign burn engine
+        uses: skymatic/code-sign-action@v3
         with:
-          base-dir: ${{ github.workspace }}\tmp
-          file-extensions: exe
-          append-signature: true
-          description: 'Cryptomator Bundle Installer'
-          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
-          client-id: ${{ secrets.AZURE_CLIENT_ID }}
-          client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
-      - name: Sign burn engine with Actalis CodeSigner
-        if: inputs.sign || github.event_name == 'release'
-        uses: skymatic/workflows/.github/actions/win-sign-action@957d3c2c08c56855fdac41e5afb9a7aca8c30dd9 # no specific version
-        with:
-          base-dir: 'tmp'
-          file-extensions: 'exe'
-          sign-description: 'Cryptomator Bundle Installer'
-          sign-url: 'https://cryptomator.org'
-          username: ${{ secrets.WIN_CODESIGN_USERNAME }}
-          password: ${{ secrets.WIN_CODESIGN_PW }}
+          certificate: ${{ secrets.WIN_CODESIGN_P12_BASE64 }}
+          password: ${{ secrets.WIN_CODESIGN_P12_PW }}
+          certificatesha1: 5FC94CE149E5B511E621F53A060AC67CBD446B3A
+          description: Cryptomator Installer
+          timestampUrl: 'http://timestamp.digicert.com'
+          folder: tmp
       - name: Reattach signed burn engine to installer
         run: >
           wix burn reattach installer/unsigned/Cryptomator-Installer.exe -engine tmp/engine.exe -o installer/Cryptomator-Installer.exe
-      - name: Sign EXE installer with Azure Trusted Signing
-        if: inputs.sign || github.event_name == 'release'
-        uses: ./.github/actions/win-sign-action
+      - name: Codesign EXE
+        uses: skymatic/code-sign-action@v3
         with:
-          base-dir: ${{ github.workspace }}\installer
-          file-extensions: exe
-          append-signature: true
-          description: 'Cryptomator Bundle Installer'
-          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
-          client-id: ${{ secrets.AZURE_CLIENT_ID }}
-          client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
-      - name: Sign installer with Actalis CodeSigner
-        if: inputs.sign || github.event_name == 'release'
-        uses: skymatic/workflows/.github/actions/win-sign-action@957d3c2c08c56855fdac41e5afb9a7aca8c30dd9 # no specific version
-        with:
-          base-dir: 'installer'
-          file-extensions: 'exe'
-          sign-description: 'Cryptomator Bundle Installer'
-          sign-url: 'https://cryptomator.org'
-          username: ${{ secrets.WIN_CODESIGN_USERNAME }}
-          password: ${{ secrets.WIN_CODESIGN_PW }}
+          certificate: ${{ secrets.WIN_CODESIGN_P12_BASE64 }}
+          password: ${{ secrets.WIN_CODESIGN_P12_PW }}
+          certificatesha1: 5FC94CE149E5B511E621F53A060AC67CBD446B3A
+          description: Cryptomator Installer
+          timestampUrl: 'http://timestamp.digicert.com'
+          folder: installer
       - name: Add possible alpha/beta tags to installer name
         run: mv installer/Cryptomator-Installer.exe Cryptomator-${{ needs.get-version.outputs.semVerStr }}-${{ matrix.executable-suffix }}.exe
       - name: Create detached GPG signature with key 615D449FE6E6A235
@@ -424,7 +405,7 @@ jobs:
           GPG_PRIVATE_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }}
           GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
       - name: Upload artifacts
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@v4
         with:
           name: exe-${{ matrix.executable-suffix }}
           path: |
@@ -439,22 +420,26 @@ jobs:
     needs: [ build-msi, build-exe ]
     outputs:
       download-url-msi-x64: ${{ fromJSON(steps.publish.outputs.assets)[0].browser_download_url }}
+      download-url-msi-arm64: ${{ fromJSON(steps.publish.outputs.assets)[1].browser_download_url }}
       download-url-exe-x64: ${{ fromJSON(steps.publish.outputs.assets)[2].browser_download_url }}
+      download-url-exe-arm64: ${{ fromJSON(steps.publish.outputs.assets)[3].browser_download_url }}
     steps:
       - name: Download installers
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
+        uses: actions/download-artifact@v4
         with:
           merge-multiple: true
       - name: Publish installers on GitHub Releases
         id: publish
-        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
+        uses: softprops/action-gh-release@v2
         with:
           fail_on_unmatched_files: true
           token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
           # do not change ordering of filelist, required for correct job output
           files: |
             *x64.msi
+            *arm64.msi
             *x64.exe
+            *arm64.exe
             *.asc
 
   allowlist-msi-x64:
@@ -464,6 +449,13 @@ jobs:
       url: ${{ needs.publish.outputs.download-url-msi-x64 }}
     secrets: inherit
 
+  allowlist-msi-arm64:
+    uses: ./.github/workflows/av-whitelist.yml
+    needs: [ publish ]
+    with:
+      url: ${{ needs.publish.outputs.download-url-msi-arm64 }}
+    secrets: inherit
+
   allowlist-exe-x64:
     uses: ./.github/workflows/av-whitelist.yml
     needs: [ publish, allowlist-msi-x64 ]
@@ -471,6 +463,13 @@ jobs:
       url: ${{ needs.publish.outputs.download-url-exe-x64 }}
     secrets: inherit
 
+  allowlist-exe-arm64:
+    uses: ./.github/workflows/av-whitelist.yml
+    needs: [ publish, allowlist-msi-arm64 ]
+    with:
+      url: ${{ needs.publish.outputs.download-url-exe-arm64 }}
+    secrets: inherit
+
   notify-winget:
     name: Notify for winget-release
     if: needs.get-version.outputs.versionType == 'stable'
@@ -478,7 +477,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Slack Notification
-        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3
+        uses: rtCamp/action-slack-notify@v2
         env:
           SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
           SLACK_USERNAME: 'Cryptobot'

.github/workflows/winget.yml

@@ -18,7 +18,7 @@ jobs:
         env:
           GH_TOKEN: ${{ secrets.CRYPTOBOT_PR_TOKEN }}
       - name: Submit package
-        uses: vedantmgoyal2009/winget-releaser@19e706d4c9121098010096f9c495a70a7518b30f # no_specific_version
+        uses: vedantmgoyal2009/winget-releaser@main
         with:
           identifier: Cryptomator.Cryptomator
           version: ${{ inputs.tag }}

.idea/compiler.xml

@@ -12,15 +12,18 @@
         <sourceTestOutputDir name="target/generated-test-sources/test-annotations" />
         <outputRelativeToContentRoot value="true" />
         <option name="dagger.fastInit" value="enabled" />
+        <option name="dagger.formatGeneratedSource" value="enabled" />
         <processorPath useClasspath="false">
-          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger-compiler/2.59.1/dagger-compiler-2.59.1.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger/2.59.1/dagger-2.59.1.jar" />
+          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger-compiler/2.55/dagger-compiler-2.55.jar" />
+          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger/2.55/dagger-2.55.jar" />
           <entry name="$MAVEN_REPOSITORY$/jakarta/inject/jakarta.inject-api/2.0.1/jakarta.inject-api-2.0.1.jar" />
+          <entry name="$MAVEN_REPOSITORY$/javax/inject/javax.inject/1/javax.inject-1.jar" />
           <entry name="$MAVEN_REPOSITORY$/org/jspecify/jspecify/1.0.0/jspecify-1.0.0.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger-spi/2.59.1/dagger-spi-2.59.1.jar" />
+          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger-spi/2.55/dagger-spi-2.55.jar" />
           <entry name="$MAVEN_REPOSITORY$/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/google/devtools/ksp/symbol-processing-api/2.2.20-2.0.3/symbol-processing-api-2.2.20-2.0.3.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/google/googlejavaformat/google-java-format/1.33.0/google-java-format-1.33.0.jar" />
+          <entry name="$MAVEN_REPOSITORY$/com/google/devtools/ksp/symbol-processing-api/2.0.21-1.0.28/symbol-processing-api-2.0.21-1.0.28.jar" />
+          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-stdlib/2.0.21/kotlin-stdlib-2.0.21.jar" />
+          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/annotations/13.0/annotations-13.0.jar" />
           <entry name="$MAVEN_REPOSITORY$/com/google/guava/failureaccess/1.0.2/failureaccess-1.0.2.jar" />
           <entry name="$MAVEN_REPOSITORY$/com/google/guava/guava/33.0.0-jre/guava-33.0.0-jre.jar" />
           <entry name="$MAVEN_REPOSITORY$/com/google/guava/listenablefuture/9999.0-empty-to-avoid-conflict-with-guava/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar" />
@@ -28,41 +31,14 @@
           <entry name="$MAVEN_REPOSITORY$/com/google/errorprone/error_prone_annotations/2.23.0/error_prone_annotations-2.23.0.jar" />
           <entry name="$MAVEN_REPOSITORY$/com/google/j2objc/j2objc-annotations/2.8/j2objc-annotations-2.8.jar" />
           <entry name="$MAVEN_REPOSITORY$/com/squareup/javapoet/1.13.0/javapoet-1.13.0.jar" />
+          <entry name="$MAVEN_REPOSITORY$/com/google/googlejavaformat/google-java-format/1.5/google-java-format-1.5.jar" />
+          <entry name="$MAVEN_REPOSITORY$/com/google/errorprone/javac-shaded/9-dev-r4023-3/javac-shaded-9-dev-r4023-3.jar" />
           <entry name="$MAVEN_REPOSITORY$/com/squareup/kotlinpoet/1.11.0/kotlinpoet-1.11.0.jar" />
           <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-stdlib-jdk8/1.6.10/kotlin-stdlib-jdk8-1.6.10.jar" />
           <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-stdlib-jdk7/1.6.10/kotlin-stdlib-jdk7-1.6.10.jar" />
           <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-reflect/1.6.10/kotlin-reflect-1.6.10.jar" />
-          <entry name="$MAVEN_REPOSITORY$/javax/inject/javax.inject/1/javax.inject-1.jar" />
           <entry name="$MAVEN_REPOSITORY$/net/ltgt/gradle/incap/incap/0.2/incap-0.2.jar" />
-          <entry name="$MAVEN_REPOSITORY$/org/checkerframework/checker-compat-qual/2.5.3/checker-compat-qual-2.5.3.jar" />
-          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-metadata-jvm/2.2.20/kotlin-metadata-jvm-2.2.20.jar" />
-          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-stdlib/2.2.20/kotlin-stdlib-2.2.20.jar" />
-          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/annotations/13.0/annotations-13.0.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger-compiler/2.59.1/dagger-compiler-2.59.1.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger/2.59.1/dagger-2.59.1.jar" />
-          <entry name="$MAVEN_REPOSITORY$/jakarta/inject/jakarta.inject-api/2.0.1/jakarta.inject-api-2.0.1.jar" />
-          <entry name="$MAVEN_REPOSITORY$/org/jspecify/jspecify/1.0.0/jspecify-1.0.0.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger-spi/2.59.1/dagger-spi-2.59.1.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/google/devtools/ksp/symbol-processing-api/2.2.20-2.0.3/symbol-processing-api-2.2.20-2.0.3.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/google/googlejavaformat/google-java-format/1.33.0/google-java-format-1.33.0.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/google/guava/failureaccess/1.0.2/failureaccess-1.0.2.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/google/guava/guava/33.0.0-jre/guava-33.0.0-jre.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/google/guava/listenablefuture/9999.0-empty-to-avoid-conflict-with-guava/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar" />
-          <entry name="$MAVEN_REPOSITORY$/org/checkerframework/checker-qual/3.41.0/checker-qual-3.41.0.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/google/errorprone/error_prone_annotations/2.23.0/error_prone_annotations-2.23.0.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/google/j2objc/j2objc-annotations/2.8/j2objc-annotations-2.8.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/squareup/javapoet/1.13.0/javapoet-1.13.0.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/squareup/kotlinpoet/1.11.0/kotlinpoet-1.11.0.jar" />
-          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-stdlib-jdk8/1.6.10/kotlin-stdlib-jdk8-1.6.10.jar" />
-          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-stdlib-jdk7/1.6.10/kotlin-stdlib-jdk7-1.6.10.jar" />
-          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-reflect/1.6.10/kotlin-reflect-1.6.10.jar" />
-          <entry name="$MAVEN_REPOSITORY$/javax/inject/javax.inject/1/javax.inject-1.jar" />
-          <entry name="$MAVEN_REPOSITORY$/net/ltgt/gradle/incap/incap/0.2/incap-0.2.jar" />
-          <entry name="$MAVEN_REPOSITORY$/org/checkerframework/checker-compat-qual/2.5.3/checker-compat-qual-2.5.3.jar" />
-          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-metadata-jvm/2.2.20/kotlin-metadata-jvm-2.2.20.jar" />
-          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-stdlib/2.2.20/kotlin-stdlib-2.2.20.jar" />
-          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/annotations/13.0/annotations-13.0.jar" />
+          <entry name="$MAVEN_REPOSITORY$/org/checkerframework/checker-compat-qual/2.5.5/checker-compat-qual-2.5.5.jar" />
         </processorPath>
         <module name="cryptomator" />
       </profile>
@@ -70,7 +46,7 @@
   </component>
   <component name="JavacSettings">
     <option name="ADDITIONAL_OPTIONS_OVERRIDE">
-      <module name="cryptomator" options="-Adagger.fastInit=enabled" />
+      <module name="cryptomator" options="-Adagger.fastInit=enabled -Adagger.formatGeneratedSource=enabled" />
     </option>
   </component>
 </project>

.idea/inspectionProfiles/Project_Default.xml

@@ -1,8 +1,10 @@
 <component name="InspectionProjectProfileManager">
   <profile version="1.0">
     <option name="myName" value="Project Default" />
-    <inspection_tool class="Deprecation" enabled="true" level="WARNING" enabled_by_default="true" editorAttributes="DEPRECATED_ATTRIBUTES" />
-    <inspection_tool class="MarkedForRemoval" enabled="true" level="WARNING" enabled_by_default="true" editorAttributes="MARKED_FOR_REMOVAL_ATTRIBUTES" />
-    <inspection_tool class="RedundantScheduledForRemovalAnnotation" enabled="true" level="WARNING" enabled_by_default="true" editorAttributes="MARKED_FOR_REMOVAL_ATTRIBUTES" />
+    <inspection_tool class="SpellCheckingInspection" enabled="true" level="TYPO" enabled_by_default="true">
+      <option name="processCode" value="true" />
+      <option name="processLiterals" value="true" />
+      <option name="processComments" value="true" />
+    </inspection_tool>
   </profile>
 </component>

.idea/misc.xml

@@ -8,7 +8,7 @@
       </list>
     </option>
   </component>
-  <component name="ProjectRootManager" version="2" languageLevel="JDK_25" project-jdk-name="25" project-jdk-type="JavaSDK">
+  <component name="ProjectRootManager" version="2" languageLevel="JDK_24" project-jdk-name="24" project-jdk-type="JavaSDK">
     <output url="file://$PROJECT_DIR$/out" />
   </component>
 </project>

.idea/runConfigurations/Cryptomator_Linux.xml

@@ -2,7 +2,7 @@
   <configuration default="false" name="Cryptomator Linux" type="Application" factoryName="Application">
     <option name="MAIN_CLASS_NAME" value="org.cryptomator.launcher.Cryptomator" />
     <module name="cryptomator" />
-    <option name="VM_PARAMETERS" value="-Dcryptomator.settingsPath=&quot;@{userhome}/.config/Cryptomator/settings.json&quot; -Dcryptomator.p12Path=&quot;@{userhome}/.config/Cryptomator/key.p12&quot; -Dcryptomator.ipcSocketPath=&quot;@{userhome}/.config/Cryptomator/ipc.socket&quot; -Dcryptomator.logDir=&quot;@{userhome}/.local/share/Cryptomator/logs&quot; -Dcryptomator.pluginDir=&quot;@{userhome}/.local/share/Cryptomator/plugins&quot; -Dcryptomator.mountPointsDir=&quot;@{userhome}/.local/share/Cryptomator/mnt&quot; -Dcryptomator.showTrayIcon=true -Dcryptomator.hub.enableTrustOnFirstUse=true -Xss20m -Xmx512m --enable-preview --enable-native-access=org.cryptomator.jfuse.linux.amd64,org.cryptomator.jfuse.linux.aarch64,org.purejava.appindicator,javafx.graphics" />
+    <option name="VM_PARAMETERS" value="-Dcryptomator.settingsPath=&quot;@{userhome}/.config/Cryptomator/settings.json&quot; -Dcryptomator.p12Path=&quot;@{userhome}/.config/Cryptomator/key.p12&quot; -Dcryptomator.ipcSocketPath=&quot;@{userhome}/.config/Cryptomator/ipc.socket&quot; -Dcryptomator.logDir=&quot;@{userhome}/.local/share/Cryptomator/logs&quot; -Dcryptomator.pluginDir=&quot;@{userhome}/.local/share/Cryptomator/plugins&quot; -Dcryptomator.mountPointsDir=&quot;@{userhome}/.local/share/Cryptomator/mnt&quot; -Dcryptomator.showTrayIcon=true -Xss20m -Xmx512m --enable-preview --enable-native-access=org.cryptomator.jfuse.linux.amd64,org.cryptomator.jfuse.linux.aarch64,org.purejava.appindicator,javafx.graphics" />
     <method v="2">
       <option name="Make" enabled="true" />
     </method>

.idea/runConfigurations/Cryptomator_Linux_Dev.xml

@@ -2,7 +2,7 @@
   <configuration default="false" name="Cryptomator Linux Dev" type="Application" factoryName="Application">
     <option name="MAIN_CLASS_NAME" value="org.cryptomator.launcher.Cryptomator" />
     <module name="cryptomator" />
-    <option name="VM_PARAMETERS" value="-Dcryptomator.settingsPath=&quot;@{userhome}/.config/Cryptomator-Dev/settings.json&quot; -Dcryptomator.p12Path=&quot;@{userhome}/.config/Cryptomator-Dev/key.p12&quot; -Dcryptomator.ipcSocketPath=&quot;@{userhome}/.config/Cryptomator-Dev/ipc.socket&quot; -Dcryptomator.logDir=&quot;@{userhome}/.local/share/Cryptomator-Dev/logs&quot; -Dcryptomator.pluginDir=&quot;@{userhome}/.local/share/Cryptomator-Dev/plugins&quot; -Dcryptomator.mountPointsDir=&quot;@{userhome}/.local/share/Cryptomator-Dev/mnt&quot; -Dcryptomator.showTrayIcon=true -Dcryptomator.hub.enableTrustOnFirstUse=true -Dfuse.experimental=&quot;true&quot; -Xss20m -Xmx512m --enable-preview --enable-native-access=org.cryptomator.jfuse.linux.amd64,org.cryptomator.jfuse.linux.aarch64,org.purejava.appindicator,javafx.graphics" />
+    <option name="VM_PARAMETERS" value="-Dcryptomator.settingsPath=&quot;@{userhome}/.config/Cryptomator-Dev/settings.json&quot; -Dcryptomator.p12Path=&quot;@{userhome}/.config/Cryptomator-Dev/key.p12&quot; -Dcryptomator.ipcSocketPath=&quot;@{userhome}/.config/Cryptomator-Dev/ipc.socket&quot; -Dcryptomator.logDir=&quot;@{userhome}/.local/share/Cryptomator-Dev/logs&quot; -Dcryptomator.pluginDir=&quot;@{userhome}/.local/share/Cryptomator-Dev/plugins&quot; -Dcryptomator.mountPointsDir=&quot;@{userhome}/.local/share/Cryptomator-Dev/mnt&quot; -Dcryptomator.showTrayIcon=true -Dfuse.experimental=&quot;true&quot; -Xss20m -Xmx512m --enable-preview --enable-native-access=org.cryptomator.jfuse.linux.amd64,org.cryptomator.jfuse.linux.aarch64,org.purejava.appindicator,javafx.graphics" />
     <method v="2">
       <option name="Make" enabled="true" />
     </method>

.idea/runConfigurations/Cryptomator_Windows.xml

@@ -2,7 +2,7 @@
   <configuration default="false" name="Cryptomator Windows" type="Application" factoryName="Application">
     <option name="MAIN_CLASS_NAME" value="org.cryptomator.launcher.Cryptomator" />
     <module name="cryptomator" />
-    <option name="VM_PARAMETERS" value="-Dcryptomator.settingsPath=&quot;@{appdata}/Cryptomator/settings.json;@{userhome}/AppData/Roaming/Cryptomator/settings.json&quot; -Dcryptomator.ipcSocketPath=&quot;@{localappdata}/Cryptomator/ipc.socket&quot; -Dcryptomator.logDir=&quot;@{localappdata}/Cryptomator&quot; -Dcryptomator.pluginDir=&quot;@{appdata}/Cryptomator/Plugins&quot; -Dcryptomator.integrationsWin.keychainPaths=&quot;@{appdata}/Cryptomator/keychain.json;@{userhome}/AppData/Roaming/Cryptomator/keychain.json&quot; -Dcryptomator.integrationsWin.windowsHelloKeychainPaths=&quot;@{appdata}/Cryptomator/windowsHelloKeychain.json;@{userhome}/AppData/Roaming/Cryptomator/windowsHelloKeychain.json&quot; -Dcryptomator.p12Path=&quot;@{appdata}/Cryptomator/key.p12;@{userhome}/AppData/Roaming/Cryptomator/key.p12&quot; -Dcryptomator.mountPointsDir=&quot;@{userhome}/Cryptomator&quot; -Dcryptomator.showTrayIcon=true -Dcryptomator.hub.enableTrustOnFirstUse=true -Xss2m -Xmx512m --enable-preview --enable-native-access=org.cryptomator.jfuse.win,org.cryptomator.integrations.win,javafx.graphics" />
+    <option name="VM_PARAMETERS" value="-Dcryptomator.settingsPath=&quot;@{appdata}/Cryptomator/settings.json;@{userhome}/AppData/Roaming/Cryptomator/settings.json&quot; -Dcryptomator.ipcSocketPath=&quot;@{localappdata}/Cryptomator/ipc.socket&quot; -Dcryptomator.logDir=&quot;@{localappdata}/Cryptomator&quot; -Dcryptomator.pluginDir=&quot;@{appdata}/Cryptomator/Plugins&quot; -Dcryptomator.integrationsWin.keychainPaths=&quot;@{appdata}/Cryptomator/keychain.json;@{userhome}/AppData/Roaming/Cryptomator/keychain.json&quot; -Dcryptomator.integrationsWin.windowsHelloKeychainPaths=&quot;@{appdata}/Cryptomator/windowsHelloKeychain.json;@{userhome}/AppData/Roaming/Cryptomator/windowsHelloKeychain.json&quot; -Dcryptomator.p12Path=&quot;@{appdata}/Cryptomator/key.p12;@{userhome}/AppData/Roaming/Cryptomator/key.p12&quot; -Dcryptomator.mountPointsDir=&quot;@{userhome}/Cryptomator&quot; -Dcryptomator.showTrayIcon=true -Xss2m -Xmx512m --enable-preview --enable-native-access=org.cryptomator.jfuse.win,org.cryptomator.integrations.win,javafx.graphics" />
     <method v="2">
       <option name="Make" enabled="true" />
     </method>

.idea/runConfigurations/Cryptomator_Windows_Dev.xml

@@ -2,7 +2,7 @@
   <configuration default="false" name="Cryptomator Windows Dev" type="Application" factoryName="Application">
     <option name="MAIN_CLASS_NAME" value="org.cryptomator.launcher.Cryptomator" />
     <module name="cryptomator" />
-    <option name="VM_PARAMETERS" value="-Dcryptomator.settingsPath=&quot;@{appdata}/Cryptomator-Dev/settings.json;@{userhome}/AppData/Roaming/Cryptomator-Dev/settings.json&quot; -Dcryptomator.ipcSocketPath=&quot;@{localappdata}/Cryptomator-Dev/ipc.socket&quot; -Dcryptomator.logDir=&quot;@{localappdata}/Cryptomator-Dev&quot; -Dcryptomator.pluginDir=&quot;@{appdata}/Cryptomator-Dev/Plugins&quot; -Dcryptomator.integrationsWin.keychainPaths=&quot;@{appdata}/Cryptomator-Dev/keychain.json;@{userhome}/AppData/Roaming/Cryptomator-Dev/keychain.json&quot; -Dcryptomator.integrationsWin.windowsHelloKeychainPaths=&quot;@{appdata}/Cryptomator-Dev/windowsHelloKeychain.json;@{userhome}/AppData/Roaming/Cryptomator-Dev/windowsHelloKeychain.json&quot; -Dcryptomator.p12Path=&quot;@{appdata}/Cryptomator-Dev/key.p12;@{userhome}/AppData/Roaming/Cryptomator-Dev/key.p12&quot; -Dcryptomator.mountPointsDir=&quot;@{userhome}/Cryptomator-Dev&quot; -Dcryptomator.showTrayIcon=true -Dcryptomator.hub.enableTrustOnFirstUse=true -Xss2m -Xmx512m --enable-preview --enable-native-access=org.cryptomator.jfuse.win,org.cryptomator.integrations.win,javafx.graphics" />
+    <option name="VM_PARAMETERS" value="-Dcryptomator.settingsPath=&quot;@{appdata}/Cryptomator-Dev/settings.json;@{userhome}/AppData/Roaming/Cryptomator-Dev/settings.json&quot; -Dcryptomator.ipcSocketPath=&quot;@{localappdata}/Cryptomator-Dev/ipc.socket&quot; -Dcryptomator.logDir=&quot;@{localappdata}/Cryptomator-Dev&quot; -Dcryptomator.pluginDir=&quot;@{appdata}/Cryptomator-Dev/Plugins&quot; -Dcryptomator.integrationsWin.keychainPaths=&quot;@{appdata}/Cryptomator-Dev/keychain.json;@{userhome}/AppData/Roaming/Cryptomator-Dev/keychain.json&quot; -Dcryptomator.integrationsWin.windowsHelloKeychainPaths=&quot;@{appdata}/Cryptomator-Dev/windowsHelloKeychain.json;@{userhome}/AppData/Roaming/Cryptomator-Dev/windowsHelloKeychain.json&quot; -Dcryptomator.p12Path=&quot;@{appdata}/Cryptomator-Dev/key.p12;@{userhome}/AppData/Roaming/Cryptomator-Dev/key.p12&quot; -Dcryptomator.mountPointsDir=&quot;@{userhome}/Cryptomator-Dev&quot; -Dcryptomator.showTrayIcon=true -Xss2m -Xmx512m --enable-preview --enable-native-access=org.cryptomator.jfuse.win,org.cryptomator.integrations.win,javafx.graphics" />
     <method v="2">
       <option name="Make" enabled="true" />
     </method>

.idea/runConfigurations/Cryptomator_macOS.xml

@@ -5,7 +5,7 @@
     </envs>
     <option name="MAIN_CLASS_NAME" value="org.cryptomator.launcher.Cryptomator" />
     <module name="cryptomator" />
-    <option name="VM_PARAMETERS" value="-Dapple.awt.enableTemplateImages=true -Dcryptomator.settingsPath=&quot;@{userhome}/Library/Application Support/Cryptomator/settings.json&quot; -Dcryptomator.p12Path=&quot;@{userhome}/Library/Application Support/Cryptomator/key.p12&quot; -Dcryptomator.ipcSocketPath=&quot;@{userhome}/Library/Application Support/Cryptomator/ipc.socket&quot; -Dcryptomator.logDir=&quot;@{userhome}/Library/Logs/Cryptomator&quot; -Dcryptomator.pluginDir=&quot;@{userhome}/Library/Application Support/Cryptomator/Plugins&quot; -Dcryptomator.mountPointsDir=&quot;@{userhome}/Cryptomator&quot; -Dcryptomator.showTrayIcon=true -Dcryptomator.integrationsMac.keychainServiceName=Cryptomator -Dcryptomator.updateMechanism=org.cryptomator.macos.update.DmgUpdateMechanism -Dcryptomator.hub.enableTrustOnFirstUse=true -Xss2m -Xmx512m -ea --enable-preview --enable-native-access=org.cryptomator.jfuse.mac,javafx.graphics" />
+    <option name="VM_PARAMETERS" value="-Dapple.awt.enableTemplateImages=true -Dcryptomator.settingsPath=&quot;@{userhome}/Library/Application Support/Cryptomator/settings.json&quot; -Dcryptomator.p12Path=&quot;@{userhome}/Library/Application Support/Cryptomator/key.p12&quot; -Dcryptomator.ipcSocketPath=&quot;@{userhome}/Library/Application Support/Cryptomator/ipc.socket&quot; -Dcryptomator.logDir=&quot;@{userhome}/Library/Logs/Cryptomator&quot; -Dcryptomator.pluginDir=&quot;@{userhome}/Library/Application Support/Cryptomator/Plugins&quot; -Dcryptomator.mountPointsDir=&quot;@{userhome}/Cryptomator&quot; -Dcryptomator.showTrayIcon=true -Dcryptomator.integrationsMac.keychainServiceName=Cryptomator -Xss2m -Xmx512m -ea --enable-preview --enable-native-access=org.cryptomator.jfuse.mac,javafx.graphics" />
     <method v="2">
       <option name="Make" enabled="true" />
     </method>

.idea/runConfigurations/Cryptomator_macOS_Dev.xml

@@ -5,7 +5,7 @@
     </envs>
     <option name="MAIN_CLASS_NAME" value="org.cryptomator.launcher.Cryptomator" />
     <module name="cryptomator" />
-    <option name="VM_PARAMETERS" value="-Dapple.awt.enableTemplateImages=true -Dcryptomator.settingsPath=&quot;@{userhome}/Library/Application Support/Cryptomator-Dev/settings.json&quot; -Dcryptomator.p12Path=&quot;@{userhome}/Library/Application Support/Cryptomator-Dev/key.p12&quot; -Dcryptomator.ipcSocketPath=&quot;@{userhome}/Library/Application Support/Cryptomator-Dev/ipc.socket&quot; -Dcryptomator.logDir=&quot;@{userhome}/Library/Logs/Cryptomator-Dev&quot; -Dcryptomator.pluginDir=&quot;@{userhome}/Library/Application Support/Cryptomator-Dev/Plugins&quot; -Dcryptomator.mountPointsDir=&quot;@{userhome}/Library/Application Support/Cryptomator-Dev/mnt&quot; -Dcryptomator.showTrayIcon=true -Dcryptomator.integrationsMac.keychainServiceName=Cryptomator -Dcryptomator.hub.enableTrustOnFirstUse=true -Xss2m -Xmx512m -ea --enable-preview --enable-native-access=org.cryptomator.jfuse.mac,javafx.graphics" />
+    <option name="VM_PARAMETERS" value="-Dapple.awt.enableTemplateImages=true -Dcryptomator.settingsPath=&quot;@{userhome}/Library/Application Support/Cryptomator-Dev/settings.json&quot; -Dcryptomator.p12Path=&quot;@{userhome}/Library/Application Support/Cryptomator-Dev/key.p12&quot; -Dcryptomator.ipcSocketPath=&quot;@{userhome}/Library/Application Support/Cryptomator-Dev/ipc.socket&quot; -Dcryptomator.logDir=&quot;@{userhome}/Library/Logs/Cryptomator-Dev&quot; -Dcryptomator.pluginDir=&quot;@{userhome}/Library/Application Support/Cryptomator-Dev/Plugins&quot; -Dcryptomator.mountPointsDir=&quot;@{userhome}/Library/Application Support/Cryptomator-Dev/mnt&quot; -Dcryptomator.showTrayIcon=true -Dcryptomator.integrationsMac.keychainServiceName=Cryptomator -Xss2m -Xmx512m -ea --enable-preview --enable-native-access=org.cryptomator.jfuse.mac,javafx.graphics" />
     <method v="2">
       <option name="Make" enabled="true" />
     </method>

CHANGELOG.md

@@ -1,83 +0,0 @@
-# Changelog
-
-All notable changes to this project will be documented in this file.
-
-The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
-
-The changelog starts with version 1.19.0.
-Changes to prior versions can be found on the [Github release page](https://github.com/cryptomator/cryptomator/releases).
-
-## [1.19.2](https://github.com/cryptomator/cryptomator/releases/1.19.2) - 2026-03-20
-
-### Security
-* Cryptomamtor Hub Vaults: Additional patch for (#4179, [GHSA-34rf-rwr3-7g43](https://github.com/cryptomator/cryptomator/security/advisories/GHSA-34rf-rwr3-7g43))
-
-
-## [1.19.1](https://github.com/cryptomator/cryptomator/releases/1.19.1) - 2026-03-12
-
-### Security
-* Cryptomamtor Hub Vaults: Fixed possible man-in-the-middle attack with tampered vault config (#4179, [GHSA-34rf-rwr3-7g43](https://github.com/cryptomator/cryptomator/security/advisories/GHSA-34rf-rwr3-7g43))
-* Disallow unencrypted http connections to hub by default ([CVE-2026-32309](https://github.com/cryptomator/cryptomator/security/advisories/GHSA-vv33-h7qx-c264))
-* Disallow loading of masterkey file from arbitrary paths (#4180, [CVE-2026-32310](https://github.com/cryptomator/cryptomator/security/advisories/GHSA-5phc-5pfx-hr52))
-* Fixed not-configured plugin directory does not disable plugin search ([#4176](https://github.com/cryptomator/cryptomator/pull/4176))
-
-### Added
-* Trust on first use, adding new config properties `cryptomator.hub.allowedHosts` and `cryptomator.hub.enableTrustOnFirstUse` (#4179)
-
-### Fixed
-* Fixed Finder window opens twice when revealing vault on macOS ([#4177](https://github.com/cryptomator/cryptomator/pull/4177))
-* Fixed app does not start due to secret service detection failure on Linux ([#4175](https://github.com/cryptomator/cryptomator/pull/4175))
-
-### Changed
-* Pin version of appimagetool([#4181](https://github.com/cryptomator/cryptomator/pull/4181))
-* Updated translations
-* Updated dependencies:
-  * `org.cryptomator:integrations-api` from 1.8.0-beta1 to 1.8.0
-  * `org.cryptomator:integrations-linux` from 1.7.0-beta4 to 1.7.0
-  * `org.cryptomator:integrations-mac` from 1.5.0-beta3 to 1.5.0
-
-
-
-## [1.19.0](https://github.com/cryptomator/cryptomator/releases/tag/1.19.0) - 2026-03-09
-
-### Added
-* Self-Update Mechanism ([#3948](https://github.com/cryptomator/cryptomator/pull/3948))
-  * Implemented `.dmg` update mechanism
-  * Implemented Flatpak update mechanism
-* App notifications ([#4069](https://github.com/cryptomator/cryptomator/pull/4069))
-* Mark files in-use for Hub vaults ([#4078](https://github.com/cryptomator/cryptomator/pull/4078))
-* Accessibility: Adjust app to be used with a screen reader ([#547](https://github.com/cryptomator/cryptomator/issues/547))
-* Show Archived Vault Dialog on unlock when Hub returns 410 ([#4081](https://github.com/cryptomator/cryptomator/pull/4081))
-* Support automatic app theme selection according to OS theme on Linux ([#4027](https://github.com/cryptomator/cryptomator/issues/4027))
-* Admin configuration: Allow overwriting certain app properties by external config file ([#4105](https://github.com/cryptomator/cryptomator/pull/4105))
-* New keychain backend using [secret service API](https://specifications.freedesktop.org/secret-service/0.2) for Linux ([#4025](https://github.com/cryptomator/cryptomator/pull/4025))
-* Liquid Glass icon for macOS ([#4166](https://github.com/cryptomator/cryptomator/pull/4166))
-
-### Fixed
-* Fixed password reset/show recovery possible for vaults without masterkey file ([#4120](https://github.com/cryptomator/cryptomator/pull/4120))
-* Fixed restore vault config failed due to selecting a directory instead of file ([#4141](https://github.com/cryptomator/cryptomator/issues/4141))
-* Fixed leaking of cleartext paths into application log ([GHSA-j83j-mwhc-rcgw](https://github.com/cryptomator/cryptomator/security/advisories/GHSA-j83j-mwhc-rcgw))
-
-### Changed
-* Disable user defined app start config on Windows ([#4132](https://github.com/cryptomator/cryptomator/issues/4132))
-* Disable plugin loading by default ([#4136](https://github.com/cryptomator/cryptomator/4136))
-* Use JDK 25 ([#4031](https://github.com/cryptomator/cryptomator/pull/4031))
-* Update JavaFX to 25.0.2 ([#4145](https://github.com/cryptomator/cryptomator/pull/4145))
-* Updated translations
-* Updated dependencies
-  * `ch.qos.logback:*` from 1.5.19 to 1.5.32
-  * `com.fasterxml.jackson.core:jackson-databind` from 2.20.0 to 2.21.1
-  * `com.fasterxml.jackson.datatype:jackson-datatype-jsr310` from 2.20.0 to 2.21.1
-  * `com.github.ben-manes.caffeine:caffeine` from 3.2.2 to 3.2.3
-  * `com.google.dagger:*` from 2.57.2 to 2.59.2
-  * `org.apache.commons:commons-lang3` from 3.19.0 to 3.20.0
-  * `org.cryptomator:cryptofs` from 2.9.0 to 2.10.0
-  * `org.cryptomator:cryptolib` from 2.2.1 to 2.2.2
-  * `org.cryptomator:fuse-nio-adapter` from 5.1.0 to 6.0.1
-  * `org.cryptomator:integrations-api` from 1.7.0 to 1.8.0-beta1
-  * `org.cryptomator:integrations-linux` from 1.6.1 to 1.7.0-beta4
-  * `org.cryptomator:integrations-mac` from 1.4.1 to 1.5.0-beta3
-  * `org.cryptomator:integrations-win` from 1.5.1 to 1.6.0
-  * `org.cryptomator:webdav-nio-adapter` from 3.0.0 to 3.0.1
-  * `org.cryptomator:webdav-nio-adapter-servlet` to 1.2.12
-

README.md

@@ -78,7 +78,7 @@ For more information on the security details visit [cryptomator.org](https://doc
 
 ### Dependencies
 
-* JDK 25 (e.g. temurin, zulu)
+* JDK 24 (e.g. temurin, zulu)
 * Maven 3
 
 ### Run Maven

dist/common/config.properties

@@ -1,8 +0,0 @@
-# This is the Cryptomator administrative configuration file.
-# It is a simple key-value pair file.
-# Lines starting with '#' are comments and will be ignored.
-# For more info, read the docs at https://docs.cryptomator.org/desktop/advanced-settings/
-#
-# Example:
-# Sets the plugin directory and enables plugin loading
-# cryptomator.pluginDir=@{userhome}/Cryptomator/Plugins

dist/linux/appimage/build.sh

@@ -19,16 +19,16 @@ if [[ ! "${CPU_ARCH}" =~ x86_64|aarch64 ]]; then echo "Platform ${CPU_ARCH} not
 mvn -f ../../../pom.xml versions:set -DnewVersion=${SEMVER_STR}
 
 # compile
-mvn -B -f ../../../pom.xml clean package -Plinux -DskipTests
+mvn -B -f ../../../pom.xml clean package -Plinux -DskipTests -Djavafx.platform=linux
 cp ../../../LICENSE.txt ../../../target
 cp ../../../target/cryptomator-*.jar ../../../target/mods
 
-JAVAFX_VERSION=25.0.2
+JAVAFX_VERSION=24.0.1
 JAVAFX_ARCH="x64"
-JAVAFX_JMODS_SHA256='e0a9c29d8cf3af9b8b48848b43f87b5785bc107c53a951b19668ce05842bba1b'
+JAVAFX_JMODS_SHA256='425fac742b9fbd095b2ce868cff82d1024620f747c94a7144d0a4879e756146c'
 if [ "${CPU_ARCH}" = "aarch64" ]; then
     JAVAFX_ARCH="aarch64"
-    JAVAFX_JMODS_SHA256='c3408f818693cce09e59829a8e862a82c7695fdfcd585c41cfd527f5fc3fe646'
+    JAVAFX_JMODS_SHA256='7e02edd0f4ee5527a27c94b0bbba66fcaaff41009119e45d0eca0f96ddfb6e7b'
 fi
 
 # download javaFX jmods
@@ -62,7 +62,7 @@ ${JAVA_HOME}/bin/jlink \
     --verbose \
     --output runtime \
     --module-path "${JMOD_PATHS}" \
-    --add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,javafx.base,javafx.graphics,javafx.controls,javafx.fxml,jdk.crypto.cryptoki,jdk.crypto.ec,jdk.unsupported,jdk.security.auth,jdk.accessibility,jdk.management.jfr,jdk.net,java.compiler \
+    --add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,javafx.base,javafx.graphics,javafx.controls,javafx.fxml,jdk.unsupported,jdk.security.auth,jdk.accessibility,jdk.management.jfr,jdk.net,java.compiler \
     --strip-native-commands \
     --no-header-files \
     --no-man-pages \
@@ -88,8 +88,8 @@ ${JAVA_HOME}/bin/jpackage \
     --app-version "${VERSION}.${REVISION_NO}" \
     --java-options "-Dfile.encoding=\"utf-8\"" \
     --java-options "-Djava.net.useSystemProxies=true" \
-    --java-options "-Dcryptomator.adminConfigPath=\"/etc/cryptomator/config.properties\"" \
     --java-options "-Dcryptomator.logDir=\"@{userhome}/.local/share/Cryptomator/logs\"" \
+    --java-options "-Dcryptomator.pluginDir=\"@{userhome}/.local/share/Cryptomator/plugins\"" \
     --java-options "-Dcryptomator.settingsPath=\"@{userhome}/.config/Cryptomator/settings.json:@{userhome}/.Cryptomator/settings.json\"" \
     --java-options "-Dcryptomator.p12Path=\"@{userhome}/.config/Cryptomator/key.p12\"" \
     --java-options "-Dcryptomator.ipcSocketPath=\"@{userhome}/.config/Cryptomator/ipc.socket\"" \
@@ -98,8 +98,6 @@ ${JAVA_HOME}/bin/jpackage \
     --java-options "-Dcryptomator.integrationsLinux.trayIconsDir=\"@{appdir}/usr/share/icons/hicolor/symbolic/apps\"" \
     --java-options "-Dcryptomator.buildNumber=\"appimage-${REVISION_NO}\"" \
     --java-options "-Dcryptomator.networking.truststore.p12Path=\"/etc/cryptomator/certs.p12\"" \
-    --java-options "-XX:ErrorFile=/cryptomator/cryptomator_crash.log" \
-    --java-options "-Dcryptomator.hub.enableTrustOnFirstUse=true" \
     --resource-dir ../resources
 
 # transform AppDir
@@ -116,7 +114,6 @@ cp ../common/org.cryptomator.Cryptomator.tray-unlocked.svg Cryptomator.AppDir/us
 cp ../common/org.cryptomator.Cryptomator.desktop Cryptomator.AppDir/usr/share/applications/org.cryptomator.Cryptomator.desktop
 cp ../common/org.cryptomator.Cryptomator.metainfo.xml Cryptomator.AppDir/usr/share/metainfo/org.cryptomator.Cryptomator.metainfo.xml
 cp ../common/application-vnd.cryptomator.vault.xml Cryptomator.AppDir/usr/share/mime/packages/application-vnd.cryptomator.vault.xml
-cp ../common/application-vnd.cryptomator.encrypted.xml Cryptomator.AppDir/usr/share/mime/packages/application-vnd.cryptomator.encrypted.xml
 ln -s usr/share/icons/hicolor/scalable/apps/org.cryptomator.Cryptomator.svg Cryptomator.AppDir/org.cryptomator.Cryptomator.svg
 ln -s usr/share/icons/hicolor/scalable/apps/org.cryptomator.Cryptomator.svg Cryptomator.AppDir/.DirIcon
 ln -s usr/share/applications/org.cryptomator.Cryptomator.desktop Cryptomator.AppDir/org.cryptomator.Cryptomator.desktop
@@ -124,7 +121,7 @@ ln -s org.cryptomator.Cryptomator.metainfo.xml Cryptomator.AppDir/usr/share/meta
 ln -s bin/cryptomator.sh Cryptomator.AppDir/AppRun
 
 # load AppImageTool
-curl -L https://github.com/AppImage/appimagetool/releases/download/1.9.1/appimagetool-${CPU_ARCH}.AppImage -o /tmp/appimagetool.AppImage
+curl -L https://github.com/AppImage/appimagetool/releases/download/continuous/appimagetool-${CPU_ARCH}.AppImage -o /tmp/appimagetool.AppImage
 chmod +x /tmp/appimagetool.AppImage
 
 # create AppImage

dist/linux/common/application-vnd.cryptomator.encrypted.xml

@@ -1,9 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<mime-info xmlns="http://www.freedesktop.org/standards/shared-mime-info">
-  <mime-type type="application/vnd.cryptomator.encrypted">
-    <comment>Cryptomator Encrypted Data</comment>
-    <glob pattern="*.c9r"/>
-    <glob pattern="*.c9s"/>
-    <glob pattern="*.c9u"/>
-  </mime-type>
-</mime-info>

dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml

@@ -73,7 +73,6 @@
 	<url type="faq">https://community.cryptomator.org/c/kb/faq</url>
 	<url type="help">https://docs.cryptomator.org/</url>
 	<url type="translate">https://translate.cryptomator.org</url>
-	<url type="vcs-browser">https://github.com/cryptomator/cryptomator</url>
 
 	<developer id="de.skymatic">
 		<name>Skymatic GmbH</name>
@@ -84,21 +83,6 @@
 	</content_rating>
 
 	<releases>
-		<release date="2026-03-20" version="1.19.2">
-			<url type="details">https://github.com/cryptomator/cryptomator/releases/1.19.2</url>
-		</release>
-		<release date="2026-03-12" version="1.19.1">
-			<url type="details">https://github.com/cryptomator/cryptomator/releases/1.19.1</url>
-		</release>
-		<release date="2026-03-09" version="1.19.0">
-			<url type="details">https://github.com/cryptomator/cryptomator/releases/1.19.0</url>
-		</release>
-		<release date="2025-11-12" version="1.18.0">
-			<url type="details">https://github.com/cryptomator/cryptomator/releases/1.18.0</url>
-		</release>
-		<release date="2025-07-08" version="1.17.1">
-			<url type="details">https://github.com/cryptomator/cryptomator/releases/1.17.1</url>
-		</release>
 		<release date="2025-06-24" version="1.17.0">
 			<url type="details">https://github.com/cryptomator/cryptomator/releases/1.17.0</url>
 		</release>

dist/linux/debian/control

@@ -2,7 +2,7 @@ Source: cryptomator
 Maintainer: Cryptobot <releases@cryptomator.org>
 Section: utils
 Priority: optional
-Build-Depends: debhelper (>=10), openjdk-25-jdk (>= 25+36), libgtk-3-0 (>= 3.20.0), libxxf86vm1, libgl1
+Build-Depends: debhelper (>=10), coffeelibs-jdk-24 (>= 24.0.1+9-0ppa3), libgtk-3-0,  libxxf86vm1, libgl1
 Standards-Version: 4.5.0
 Homepage: https://cryptomator.org
 Vcs-Git: https://github.com/cryptomator/cryptomator.git
@@ -12,7 +12,7 @@ Package: cryptomator
 Architecture: any
 Section: utils
 Priority: optional
-Depends: ${shlibs:Depends}, ${misc:Depends}, fuse3, libgtk-3-0 (>= 3.20.0)
+Depends: ${shlibs:Depends}, ${misc:Depends}, fuse3
 Recommends: gvfs-backends, gvfs-fuse, gnome-keyring
 XB-AppName: Cryptomator
 XB-Category: Utility;Security;FileTools;

dist/linux/debian/cryptomator.install

@@ -6,5 +6,4 @@ common/org.cryptomator.Cryptomator.tray-unlocked.svg usr/share/icons/hicolor/sca
 common/org.cryptomator.Cryptomator256.png usr/share/icons/hicolor/256x256/apps
 common/org.cryptomator.Cryptomator512.png usr/share/icons/hicolor/512x512/apps
 common/org.cryptomator.Cryptomator.metainfo.xml usr/share/metainfo
-common/application-vnd.cryptomator.vault.xml usr/share/mime/packages
-common/application-vnd.cryptomator.encrypted.xml usr/share/mime/packages
+common/application-vnd.cryptomator.vault.xml usr/share/mime/packages

dist/linux/debian/postinst

@@ -25,7 +25,6 @@ case "$1" in
         fi
         xdg-desktop-menu install --novendor /usr/share/applications/org.cryptomator.Cryptomator.desktop
         xdg-mime install /usr/share/mime/packages/application-vnd.cryptomator.vault.xml
-        xdg-mime install /usr/share/mime/packages/application-vnd.cryptomator.encrypted.xml
     ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)

dist/linux/debian/prerm

@@ -23,7 +23,6 @@ case "$1" in
 
         xdg-desktop-menu uninstall --novendor /usr/share/applications/org.cryptomator.Cryptomator.desktop
         xdg-mime uninstall /usr/share/mime/packages/application-vnd.cryptomator.vault.xml
-        xdg-mime uninstall /usr/share/mime/packages/application-vnd.cryptomator.encrypted.xml
     ;;
 
     failed-upgrade)

dist/linux/debian/rules

@@ -4,12 +4,11 @@
 # Uncomment this to turn on verbose mode.
 #export DH_VERBOSE=1
 
+JAVA_HOME = /usr/lib/jvm/java-24-coffeelibs
 DEB_BUILD_ARCH ?= $(shell dpkg-architecture -qDEB_BUILD_ARCH)
 ifeq ($(DEB_BUILD_ARCH),amd64)
-JAVA_HOME = /usr/lib/jvm/java-25-openjdk-amd64
 JMODS_PATH = jmods/amd64:${JAVA_HOME}/jmods
 else ifeq ($(DEB_BUILD_ARCH),arm64)
-JAVA_HOME = /usr/lib/jvm/java-25-openjdk-arm64
 JMODS_PATH = jmods/aarch64:${JAVA_HOME}/jmods
 endif
 
@@ -29,7 +28,7 @@ override_dh_auto_build:
 	$(JAVA_HOME)/bin/jlink \
 		--output runtime \
 		--module-path "${JMODS_PATH}" \
-		--add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,javafx.base,javafx.graphics,javafx.controls,javafx.fxml,jdk.crypto.cryptoki,jdk.crypto.ec,jdk.unsupported,jdk.security.auth,jdk.accessibility,jdk.management.jfr,jdk.net,java.compiler \
+		--add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,javafx.base,javafx.graphics,javafx.controls,javafx.fxml,jdk.unsupported,jdk.security.auth,jdk.accessibility,jdk.management.jfr,jdk.net,java.compiler \
 		--strip-native-commands \
 		--no-header-files \
 		--no-man-pages \
@@ -46,13 +45,14 @@ override_dh_auto_build:
 		--vendor "Skymatic GmbH" \
 		--java-options "--enable-preview" \
 		--java-options "--enable-native-access=javafx.graphics,org.cryptomator.jfuse.linux.amd64,org.cryptomator.jfuse.linux.aarch64,org.purejava.appindicator" \
+		--java-options "--sun-misc-unsafe-memory-access=allow" \
 		--copyright "(C) 2016 - 2025 Skymatic GmbH" \
 		--java-options "-Xss5m" \
 		--java-options "-Xmx256m" \
 		--java-options "-Dfile.encoding=\"utf-8\"" \
 		--java-options "-Djava.net.useSystemProxies=true" \
-		--java-options "-Dcryptomator.adminConfigPath=\"/etc/cryptomator/config.properties\"" \
 		--java-options "-Dcryptomator.logDir=\"@{userhome}/.local/share/Cryptomator/logs\"" \
+		--java-options "-Dcryptomator.pluginDir=\"@{userhome}/.local/share/Cryptomator/plugins\"" \
 		--java-options "-Dcryptomator.settingsPath=\"@{userhome}/.config/Cryptomator/settings.json:@{userhome}/.Cryptomator/settings.json\"" \
 		--java-options "-Dcryptomator.p12Path=\"@{userhome}/.config/Cryptomator/key.p12\"" \
 		--java-options "-Dcryptomator.ipcSocketPath=\"@{userhome}/.config/Cryptomator/ipc.socket\"" \
@@ -64,7 +64,6 @@ override_dh_auto_build:
 		--java-options "-Dcryptomator.disableUpdateCheck=\"${DISABLE_UPDATE_CHECK}\"" \
 		--java-options "-Dcryptomator.integrationsLinux.autoStartCmd=\"cryptomator\"" \
 		--java-options "-Dcryptomator.networking.truststore.p12Path=\"/etc/cryptomator/certs.p12\"" \
-		--java-options "-Dcryptomator.hub.enableTrustOnFirstUse=true" \
 		--app-version "${VERSION_NUM}.${REVISION_NUM}" \
 		--resource-dir resources \
 		--verbose

dist/linux/makepkg/PKGBUILD.template

@@ -1,119 +0,0 @@
-# Maintainer: Aaron Graves <linux@ajgraves.com>
-# Contributor: Julian Raufelder <arch@raufelder.com>
-# Contributor: Morten Linderud <morten@linderud.pw>
-# Contributor: Sebastian Stenzel <sebastian.stenzel@gmail.com>
-# Contributor: Armin Schrenk <armin.schrenk@skymatic.de>
-
-pkgname=cryptomator
-pkgver=$PKG_VERSION
-pkgrel=$PKG_RELEASE
-pkgdesc="Multiplatform transparent client-side encryption of your files in the cloud."
-arch=('any')
-url="https://cryptomator.org/"
-license=('GPL3')
-depends=('fuse3' 'alsa-lib' 'hicolor-icon-theme' 'libxtst' 'libnet' 'libxrender')
-makedepends=('maven' 'unzip')
-optdepends=('keepassxc-cryptomator: Use KeePassXC to store vault passwords' 'ttf-hanazono: Install this font when using Japanese system language')
-_jdkver=25.0.2+10
-_jfxver=25.0.2
-_src_app_dir=cryptomator-${pkgver//_/-}
-source=($SOURCES);
-source_x86_64=("jdk-${_jdkver}.tar.gz::https://github.com/adoptium/temurin${_jdkver:0:2}-binaries/releases/download/jdk-${_jdkver//\+/%2B}/OpenJDK${_jdkver:0:2}U-jdk_x64_linux_hotspot_${_jdkver//\+/_}.tar.gz"
-               "openjfx-${_jfxver}.zip::https://download2.gluonhq.com/openjfx/${_jfxver}/openjfx-${_jfxver}_linux-x64_bin-jmods.zip")
-source_aarch64=("jdk-${_jdkver}.tar.gz::https://github.com/adoptium/temurin${_jdkver:0:2}-binaries/releases/download/jdk-${_jdkver//\+/%2B}/OpenJDK${_jdkver:0:2}U-jdk_aarch64_linux_hotspot_${_jdkver//\+/_}.tar.gz"
-                "openjfx-${_jfxver}.zip::https://download2.gluonhq.com/openjfx/${_jfxver}/openjfx-${_jfxver}_linux-aarch64_bin-jmods.zip")
-noextract=("jdk-${_jdkver}.tar.gz" "openjfx-${_jfxver}.zip")
-sha256sums=($SOURCES_SHA)
-sha256sums_x86_64=('987387933b64b9833846dee373b640440d3e1fd48a04804ec01a6dbf718e8ab8'
-                   'e0a9c29d8cf3af9b8b48848b43f87b5785bc107c53a951b19668ce05842bba1b')
-sha256sums_aarch64=('a9d73e711d967dc44896d4f430f73a68fd33590dabc29a7f2fb9f593425b854c'
-                    'c3408f818693cce09e59829a8e862a82c7695fdfcd585c41cfd527f5fc3fe646')
-options=('!strip')
-
-validpgpkeys=('58117AFA1F85B3EEC154677D615D449FE6E6A235')
-
-build() {
-  export JAVA_HOME="${srcdir}/jdk-${_jdkver}"
-  JMODS_PATH="${srcdir}/openjfx-${_jfxver}-jmods"
-  #JEP 493
-  if ! $(${JAVA_HOME}/bin/jlink --help | grep -q "Linking from run-time image enabled"); then
-      JMODS_PATH="${JMODS_PATH}:${JAVA_HOME}/jmods:"
-  fi
-
-  tar xfz "jdk-${_jdkver}.tar.gz"
-
-  mkdir "openjfx-${_jfxver}-jmods"
-  unzip -j "openjfx-${_jfxver}.zip" \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d "openjfx-${_jfxver}-jmods"
-
-  cd "${srcdir}/${_src_app_dir}"
-
-  mvn -B clean package -DskipTests -Plinux
-
-  cp LICENSE.txt target
-  cp target/cryptomator-*.jar target/mods
-
-  cd target
-
-  "$JAVA_HOME/bin/jlink" \
-    --output runtime \
-    --module-path "$JMODS_PATH" \
-    --add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,javafx.base,javafx.graphics,javafx.controls,javafx.fxml,jdk.crypto.ec,jdk.crypto.cryptoki,jdk.unsupported,jdk.security.auth,jdk.accessibility,jdk.management.jfr,jdk.net,java.compiler \
-    --strip-native-commands \
-    --no-header-files \
-    --no-man-pages \
-    --strip-debug \
-    --compress=zip-0
-
-  ##Note: jpackage does not allow -beta suffixes, have to strip those
-  "$JAVA_HOME/bin/jpackage" \
-    --type app-image \
-    --runtime-image runtime \
-    --input libs \
-    --module-path mods \
-    --module org.cryptomator.desktop/org.cryptomator.launcher.Cryptomator \
-    --dest . \
-    --name cryptomator \
-    --vendor "Skymatic GmbH" \
-    --copyright "(C) 2016 - 2026 Skymatic GmbH" \
-    --java-options "--enable-preview" \
-    --java-options '--enable-native-access=javafx.graphics,org.cryptomator.jfuse.linux.amd64,org.cryptomator.jfuse.linux.aarch64,org.purejava.appindicator' \
-    --java-options "-Xss5m" \
-    --java-options "-Xmx256m" \
-    --java-options "-Dfile.encoding=\"utf-8\"" \
-    --java-options "-Djava.net.useSystemProxies=true" \
-    --java-options "-Dcryptomator.adminConfigPath=\"/etc/cryptomator/config.properties\"" \
-    --java-options "-Dcryptomator.appVersion=\"${pkgver//_/-}\"" \
-    --java-options "-Dcryptomator.buildNumber=\"aur-${pkgrel}\"" \
-    --java-options "-Dcryptomator.disableUpdateCheck=true" \
-    --java-options "-Dcryptomator.integrationsLinux.autoStartCmd=\"cryptomator\"" \
-    --java-options "-Dcryptomator.ipcSocketPath=\"@{userhome}/.config/Cryptomator/ipc.socket\"" \
-    --java-options "-Dcryptomator.logDir=\"@{userhome}/.local/share/Cryptomator/logs\"" \
-    --java-options "-Dcryptomator.mountPointsDir=\"@{userhome}/.local/share/Cryptomator/mnt\"" \
-    --java-options "-Dcryptomator.networking.truststore.p12Path=\"/etc/cryptomator/certs.p12\"" \
-    --java-options "-Dcryptomator.pluginDir=\"@{userhome}/.local/share/Cryptomator/plugins\"" \
-    --java-options "-Dcryptomator.p12Path=\"@{userhome}/.config/Cryptomator/key.p12\"" \
-    --java-options "-Dcryptomator.settingsPath=\"@{userhome}/.config/Cryptomator/settings.json:~/.Cryptomator/settings.json\"" \
-    --java-options "-Dcryptomator.showTrayIcon=true" \
-    --java-options "-Dcryptomator.hub.enableTrustOnFirstUse=true" \
-    --app-version "${pkgver//_*/}" \
-    --verbose
-}
-
-package() {
-  install -Dm644 "${srcdir}/${_src_app_dir}/dist/linux/common/application-vnd.cryptomator.vault.xml" "${pkgdir}/usr/share/mime/packages/cryptomator-vault.xml"
-  install -Dm644 "${srcdir}/${_src_app_dir}/dist/linux/common/org.cryptomator.Cryptomator.desktop" "${pkgdir}/usr/share/applications/org.cryptomator.Cryptomator.desktop"
-  install -Dm644 "${srcdir}/${_src_app_dir}/dist/linux/common/org.cryptomator.Cryptomator256.png" "${pkgdir}/usr/share/icons/hicolor/256x256/apps/org.cryptomator.Cryptomator.png"
-  install -Dm644 "${srcdir}/${_src_app_dir}/dist/linux/common/org.cryptomator.Cryptomator512.png" "${pkgdir}/usr/share/icons/hicolor/512x512/apps/org.cryptomator.Cryptomator.png"
-  install -Dm644 "${srcdir}/${_src_app_dir}/dist/linux/common/org.cryptomator.Cryptomator.svg" "${pkgdir}/usr/share/icons/hicolor/scalable/apps/org.cryptomator.Cryptomator.svg"
-  install -Dm644 "${srcdir}/${_src_app_dir}/dist/linux/common/org.cryptomator.Cryptomator.tray.svg" "${pkgdir}/usr/share/icons/hicolor/scalable/apps/org.cryptomator.Cryptomator.tray.svg"
-  install -Dm644 "${srcdir}/${_src_app_dir}/dist/linux/common/org.cryptomator.Cryptomator.tray-unlocked.svg" "${pkgdir}/usr/share/icons/hicolor/scalable/apps/org.cryptomator.Cryptomator.tray-unlocked.svg"
-  install -Dm644 "${srcdir}/${_src_app_dir}/dist/linux/common/org.cryptomator.Cryptomator.tray.svg" "${pkgdir}/usr/share/icons/hicolor/symbolic/apps/org.cryptomator.Cryptomator.tray-symbolic.svg"
-  install -Dm644 "${srcdir}/${_src_app_dir}/dist/linux/common/org.cryptomator.Cryptomator.tray-unlocked.svg" "${pkgdir}/usr/share/icons/hicolor/symbolic/apps/org.cryptomator.Cryptomator.tray-unlocked-symbolic.svg"
-
-  mkdir -p "${pkgdir}/opt/cryptomator/"
-  cp -R "${srcdir}/${_src_app_dir}/target/cryptomator" "${pkgdir}/opt/"
-  install -Dm644 "${srcdir}/${_src_app_dir}/target/LICENSE.txt" -t "${pkgdir}/usr/share/licenses/${pkgname}"
-
-  mkdir -p "${pkgdir}/usr/bin"
-  ln -s "/opt/cryptomator/bin/cryptomator" "${pkgdir}/usr/bin/cryptomator"
-}

dist/mac/dmg/build.sh

@@ -32,15 +32,15 @@ REVISION_NO=`git rev-list --count HEAD`
 VERSION_NO=`mvn -f../../../pom.xml help:evaluate -Dexpression=project.version -q -DforceStdout | sed -rn 's/.*([0-9]+\.[0-9]+\.[0-9]+).*/\1/p'`
 FUSE_LIB="FUSE-T"
 
-JAVAFX_VERSION=25.0.2
+JAVAFX_VERSION=24.0.1
 JAVAFX_ARCH="undefined"
 JAVAFX_JMODS_SHA256="undefined"
 if [ "$(machine)" = "arm64e" ]; then
     JAVAFX_ARCH="aarch64"
-    JAVAFX_JMODS_SHA256="4cd258001c75af7047005c5c891e2400ed11d24fbb09412324c0cbaf8b503c5a"
+    JAVAFX_JMODS_SHA256="b5a94a13077507003fa852512bfa33f4fb680bc8076d8002e4227a84c85171d4"
 else
     JAVAFX_ARCH="x64"
-    JAVAFX_JMODS_SHA256="0b4d8463f03901b7425d94628e4116b7078abb8dd540fbec415266fac20bda5c"
+    JAVAFX_JMODS_SHA256="6e62a426d43c168a488521f904a523f3dd6ee2cf103e08136f2fd465c828a105"
 fi
 JAVAFX_JMODS_URL="https://download2.gluonhq.com/openjfx/${JAVAFX_VERSION}/openjfx-${JAVAFX_VERSION}_osx-${JAVAFX_ARCH}_bin-jmods.zip"
 
@@ -71,7 +71,7 @@ if [ "${POM_JFX_VERSION}" -ne "${JMOD_VERSION}" ]; then
 fi
 
 # compile
-mvn -B -f../../../pom.xml clean package -DskipTests -Pmac
+mvn -B -Djavafx.platform=mac -f../../../pom.xml clean package -DskipTests -Pmac
 cp ../../../LICENSE.txt ../../../target
 cp ../../../target/${MAIN_JAR_GLOB} ../../../target/mods
 
@@ -85,7 +85,7 @@ fi
 ${JAVA_HOME}/bin/jlink \
     --output runtime \
     --module-path "${JMOD_PATHS}" \
-    --add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,javafx.base,javafx.graphics,javafx.controls,javafx.fxml,jdk.crypto.cryptoki,jdk.crypto.ec,jdk.unsupported,jdk.security.auth,jdk.accessibility,jdk.management.jfr,java.compiler \
+    --add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,javafx.base,javafx.graphics,javafx.controls,javafx.fxml,jdk.unsupported,jdk.security.auth,jdk.accessibility,jdk.management.jfr,java.compiler \
     --strip-native-commands \
     --no-header-files \
     --no-man-pages \
@@ -114,30 +114,26 @@ ${JAVA_HOME}/bin/jpackage \
     --java-options "-Dapple.awt.enableTemplateImages=true" \
     --java-options "-Dsun.java2d.metal=true" \
     --java-options "-Dcryptomator.appVersion=\"${VERSION_NO}\"" \
-    --java-options "-Dcryptomator.adminConfigPath=\"/Library/Application Support/Cryptomator/config.properties\"" \
     --java-options "-Dcryptomator.logDir=\"@{userhome}/Library/Logs/${APP_NAME}\"" \
-    --java-options "-XX:ErrorFile=/cryptomator/cryptomator_crash.log" \
+    --java-options "-Dcryptomator.pluginDir=\"@{userhome}/Library/Application Support/${APP_NAME}/Plugins\"" \
     --java-options "-Dcryptomator.settingsPath=\"@{userhome}/Library/Application Support/${APP_NAME}/settings.json\"" \
     --java-options "-Dcryptomator.ipcSocketPath=\"@{userhome}/Library/Application Support/${APP_NAME}/ipc.socket\"" \
     --java-options "-Dcryptomator.p12Path=\"@{userhome}/Library/Application Support/${APP_NAME}/key.p12\"" \
     --java-options "-Dcryptomator.integrationsMac.keychainServiceName=\"${APP_NAME}\"" \
     --java-options "-Dcryptomator.mountPointsDir=\"@{userhome}/Library/Application Support${APP_NAME}/mnt\"" \
     --java-options "-Dcryptomator.showTrayIcon=true" \
-    --java-options "-Dcryptomator.updateMechanism=org.cryptomator.macos.update.DmgUpdateMechanism" \
     --java-options "-Dcryptomator.buildNumber=\"dmg-${REVISION_NO}\"" \
-    --java-options "-Dcryptomator.hub.enableTrustOnFirstUse=true" \
     --mac-package-identifier ${PACKAGE_IDENTIFIER} \
     --resource-dir ../resources
 
 # transform app dir
 cp ../resources/${APP_NAME}-Vault.icns ${APP_NAME}.app/Contents/Resources/
-cp ../resources/Assets.car ${APP_NAME}.app/Contents/Resources/
 sed -i '' "s|###BUNDLE_SHORT_VERSION_STRING###|${VERSION_NO}|g" ${APP_NAME}.app/Contents/Info.plist
 sed -i '' "s|###BUNDLE_VERSION###|${REVISION_NO}|g" ${APP_NAME}.app/Contents/Info.plist
 cp ../embedded.provisionprofile ${APP_NAME}.app/Contents/
 
 # generate license
-mvn -B -f../../../pom.xml license:add-third-party \
+mvn -B -Djavafx.platform=mac -f../../../pom.xml license:add-third-party \
     -Dlicense.thirdPartyFilename=license.rtf \
     -Dlicense.outputDirectory=dist/mac/dmg/resources \
     -Dlicense.fileTemplate=resources/licenseTemplate.ftl \

dist/mac/resources/Info.plist

@@ -12,8 +12,6 @@
   <string>Cryptomator</string>
   <key>CFBundleIconFile</key>
   <string>Cryptomator.icns</string>
-  <key>CFBundleIconName</key>
-  <string>Cryptomator</string>
   <key>CFBundleIdentifier</key>
   <string>org.cryptomator</string>
   <key>CFBundleInfoDictionaryVersion</key>
@@ -107,7 +105,6 @@
         <array>
           <string>c9r</string>
           <string>c9s</string>
-          <string>c9u</string>
         </array>
         <key>public.mime-type</key>
         <array>

dist/win/build.bat

@@ -11,10 +11,6 @@ SET HELP_URL="https://cryptomator.org/contact/"
 SET MODULE_AND_MAIN_CLASS="org.cryptomator.desktop/org.cryptomator.launcher.Cryptomator"
 SET LOOPBACK_ALIAS="cryptomator-vault"
 
-:: read clean parameter from command line
-SET CLEAN=0
-IF "%~1"=="clean" SET CLEAN=1
-
 pwsh -NoLogo -NoProfile -ExecutionPolicy Unrestricted -Command .\build.ps1^
  -AppName %APPNAME%^
  -MainJarGlob "%MAIN_JAR_GLOB%"^
@@ -26,4 +22,4 @@ pwsh -NoLogo -NoProfile -ExecutionPolicy Unrestricted -Command .\build.ps1^
  -HelpUrl "%HELP_URL%"^
  -UpdateUrl "%UPDATE_URL%"^
  -LoopbackAlias "%LOOPBACK_ALIAS%"^
- -Clean %CLEAN%
+ -Clean 1

dist/win/build.ps1

@@ -9,15 +9,9 @@ Param(
 	[Parameter(Mandatory, HelpMessage="Please provide an update url")][string] $UpdateUrl,
 	[Parameter(Mandatory, HelpMessage="Please provide an about url")][string] $AboutUrl,
 	[Parameter(Mandatory, HelpMessage="Please provide an alias for localhost")][string] $LoopbackAlias,
-	[bool] $clean = $false # if true, cleans up previous build artifacts
+	[bool] $clean
 )
 
-# ============================
-# Function Definitions Section
-# ============================
-
-function Main {
-
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 $ProgressPreference = 'SilentlyContinue' # disables Invoke-WebRequest's progress bar, which slows down downloads to a few bytes/s
 
@@ -34,20 +28,20 @@ if ((Get-Command "mvn" -ErrorAction SilentlyContinue) -eq $null)
 }
 if ((Get-Command 'wix' -ErrorAction SilentlyContinue) -eq $null)
 {
-   Write-Error 'Unable to find wix in your PATH (try: dotnet tool install --global wix --version 6.0.2)'
+   Write-Error 'Unable to find wix in your PATH (try: dotnet tool install --global wix --version 6.0.0)'
    exit 1
 }
 $wixExtensions = & wix.exe extension list --global | Out-String
 if ($wixExtensions -notmatch 'WixToolset.UI.wixext') {
-    Write-Error 'Wix UI extension missing. Please install it with: wix.exe extension add WixToolset.UI.wixext/6.0.2 --global)'
+    Write-Error 'Wix UI extension missing. Please install it with: wix.exe extension add WixToolset.UI.wixext/6.0.0 --global)'
     exit 1
 }
 if ($wixExtensions -notmatch 'WixToolset.Util.wixext') {
-    Write-Error 'Wix Util extension missing. Please install it with: wix.exe extension add WixToolset.Util.wixext/6.0.2 --global)'
+    Write-Error 'Wix Util extension missing. Please install it with: wix.exe extension add WixToolset.Util.wixext/6.0.0 --global)'
     exit 1
 }
 if ($wixExtensions -notmatch 'WixToolset.BootstrapperApplications.wixext') {
-    Write-Error 'Wix Bootstrapper extension missing. Please install it with: wix.exe extension add WixToolset.BootstrapperApplications.wixext/6.0.2 --global)'
+    Write-Error 'Wix Bootstrapper extension missing. Please install it with: wix.exe extension add WixToolset.BootstrapperApplications.wixext/6.0.0 --global)'
     exit 1
 }
 
@@ -55,17 +49,18 @@ $buildDir = Split-Path -Parent $PSCommandPath
 $version = $(mvn -f $buildDir/../../pom.xml help:evaluate -Dexpression="project.version" -q -DforceStdout)
 $semVerNo = $version -replace '(\d+\.\d+\.\d+).*','$1'
 $revisionNo = $(git rev-list --count HEAD)
+$signingCertThumbprint = "TODO"
 
-Write-Host "`$version=$version"
-Write-Host "`$semVerNo=$semVerNo"
-Write-Host "`$revisionNo=$revisionNo"
-Write-Host "`$buildDir=$buildDir"
-Write-Host "`$Env:JAVA_HOME=$Env:JAVA_HOME"
+Write-Output "`$version=$version"
+Write-Output "`$semVerNo=$semVerNo"
+Write-Output "`$revisionNo=$revisionNo"
+Write-Output "`$buildDir=$buildDir"
+Write-Output "`$Env:JAVA_HOME=$Env:JAVA_HOME"
 
 $copyright = "(C) $CopyrightStartYear - $((Get-Date).Year) $Vendor"
 
 # compile
-&mvn -B -f $buildDir/../../pom.xml clean package -DskipTests -Pwin
+&mvn -B -f $buildDir/../../pom.xml clean package -DskipTests -Pwin "-Djavafx.platform=win"
 Copy-Item "$buildDir\..\..\target\$MainJarGlob.jar" -Destination "$buildDir\..\..\target\mods"
 
 # add runtime
@@ -77,7 +72,7 @@ if ($clean -and (Test-Path -Path $runtimeImagePath)) {
 ## download jfx jmods for X64, while they are part of the Arm64 JDK
 $archCode = (Get-CimInstance Win32_Processor).Architecture
 $archName = switch ($archCode) {
-    9  { "x64" }
+    9  { "x64 (AMD64)" }
     12 { "ARM64" }
     default { "WMI Win32_Processor.Architecture code ($archCode)" }
 }
@@ -86,20 +81,20 @@ switch ($archName) {
     'ARM64' {
 		$javafxBaseJmod = Join-Path $Env:JAVA_HOME "jmods\javafx.base.jmod"
 		if (!(Test-Path $javafxBaseJmod)) {
-			Write-Error "JavaFX module not found in JDK. Please ensure a JDK with JavaFX (including jmods) is installed."
+			Write-Error "JavaFX module not found in JDK. Please ensure full JDK (including jmods) is installed."
 			exit 1
 		}
 
         $jmodPaths = "$Env:JAVA_HOME/jmods"
     }
-    'x64' {
-		$javaFxVersion='25.0.2'
+    'x64 (AMD64)' {
+		$javaFxVersion='24.0.1'
 		$javaFxJmodsUrl = "https://download2.gluonhq.com/openjfx/${javaFxVersion}/openjfx-${javaFxVersion}_windows-x64_bin-jmods.zip"
-		$javaFxJmodsSHA256 = '33d878dfac85590c4d77c518ed413e512d34a8479d90132b230a7ddd173576b3'
+		$javaFxJmodsSHA256 = 'f13d17c7caf88654fc835f1b4e75a9b0f34a888eb8abef381796c0002e63b03f'
 		$javaFxJmods = '.\resources\jfxJmods.zip'
 
 		if( !(Test-Path -Path $javaFxJmods) ) {
-			Write-Host "Downloading ${javaFxJmodsUrl}..."
+			Write-Output "Downloading ${javaFxJmodsUrl}..."
 			Invoke-WebRequest $javaFxJmodsUrl -OutFile $javaFxJmods # redirects are followed by default
 		}
 
@@ -123,7 +118,7 @@ switch ($archName) {
 }
 
 ## create custom runtime
-### check for JEP 493
+### adjust for JEP 493
 if ((& "$Env:JAVA_HOME\bin\jlink" --help | Select-String -Pattern "Linking from run-time image enabled" -SimpleMatch | Measure-Object).Count -eq 0 ) {
 	$jmodPaths="$Env:JAVA_HOME/jmods;" + $jmodPaths;
 }
@@ -133,7 +128,7 @@ if ((& "$Env:JAVA_HOME\bin\jlink" --help | Select-String -Pattern "Linking from
 	--verbose `
 	--output runtime `
 	--module-path $jmodPaths `
-	--add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,jdk.unsupported,jdk.accessibility,jdk.management.jfr,jdk.crypto.cryptoki,jdk.crypto.ec,jdk.crypto.mscapi,java.compiler,javafx.base,javafx.graphics,javafx.controls,javafx.fxml `
+	--add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,jdk.unsupported,jdk.accessibility,jdk.management.jfr,jdk.crypto.mscapi,java.compiler,javafx.base,javafx.graphics,javafx.controls,javafx.fxml `
 	--strip-native-commands `
 	--no-header-files `
 	--no-man-pages `
@@ -154,8 +149,7 @@ $javaOptions = @(
 "--java-options", "-Dfile.encoding=`"utf-8`""
 "--java-options", "-Djava.net.useSystemProxies=true"
 "--java-options", "-Dcryptomator.logDir=`"@{localappdata}/$AppName`""
-"--java-options", "-XX:ErrorFile=`"C:/cryptomator/cryptomator_crash.log`""
-"--java-options", "-Dcryptomator.adminConfigPath=`"C:/ProgramData/$AppName/config.properties`""
+"--java-options", "-Dcryptomator.pluginDir=`"@{appdata}/$AppName/Plugins`""
 "--java-options", "-Dcryptomator.settingsPath=`"@{appdata}/$AppName/settings.json;@{userhome}/AppData/Roaming/$AppName/settings.json`""
 "--java-options", "-Dcryptomator.ipcSocketPath=`"@{localappdata}/$AppName/ipc.socket`""
 "--java-options", "-Dcryptomator.p12Path=`"@{appdata}/$AppName/key.p12;@{userhome}/AppData/Roaming/$AppName/key.p12`""
@@ -166,8 +160,6 @@ $javaOptions = @(
 "--java-options", "-Dcryptomator.integrationsWin.windowsHelloKeychainPaths=`"@{appdata}/$AppName/windowsHelloKeychain.json`""
 "--java-options", "-Dcryptomator.showTrayIcon=true"
 "--java-options", "-Dcryptomator.buildNumber=`"msi-$revisionNo`""
-"--java-options", "-Dcryptomator.disableUpdateCheck=false"
-"--java-options", "-Dcryptomator.hub.enableTrustOnFirstUse=true"
 )
 
 
@@ -186,7 +178,7 @@ $javaOptions = @(
 	--app-version "$semVerNo.$revisionNo" `
 	--resource-dir resources `
 	--icon resources/$AppName.ico `
-	--add-launcher "${AppName} (Debug)=$buildDir\debug-launcher.properties" `
+	--add-launcher "Debug_${AppName}=$buildDir\debug-launcher.properties" `
 	@javaOptions
 
 if ($LASTEXITCODE -ne 0) {
@@ -195,7 +187,7 @@ if ($LASTEXITCODE -ne 0) {
 }
 
 #Create RTF license for msi
-&mvn -B -f $buildDir/../../pom.xml license:add-third-party `
+&mvn -B -f $buildDir/../../pom.xml license:add-third-party "-Djavafx.platform=win" `
  "-Dlicense.thirdPartyFilename=license.rtf" `
  "-Dlicense.fileTemplate=$buildDir\resources\licenseTemplate.ftl" `
  "-Dlicense.outputDirectory=$buildDir\resources\" `
@@ -207,7 +199,62 @@ if ($LASTEXITCODE -ne 0) {
 # patch app dir
 Copy-Item "contrib\*" -Destination "$AppName"
 attrib -r "$AppName\$AppName.exe"
-attrib -r "$AppName\${AppName} (Debug).exe"
+attrib -r "$AppName\Debug_${AppName}.exe"
+# patch batch script to set hostfile
+$webDAVPatcher = "$AppName\patchWebDAV.bat"
+try {
+	(Get-Content $webDAVPatcher ) -replace '::REPLACE ME', "SET LOOPBACK_ALIAS=`"$LoopbackAlias`"" | Set-Content $webDAVPatcher
+} catch {
+   Write-Host "Failed to set LOOPBACK_ALIAS for patchWebDAV.bat"
+   exit 1
+}
+
+# sign app dir
+## extract
+Add-Type -AssemblyName "System.io.compression.filesystem"
+$jarFolder = Resolve-Path "$AppName\app\mods"
+$jarExtractDir = New-Item -Path "$AppName\jar-extract" -ItemType Directory
+Get-ChildItem -Path $jarFolder -Filter "*.jar" | ForEach-Object {
+	$jar = [Io.compression.zipfile]::OpenRead($_.FullName)
+	if (@($jar.Entries | Where-Object {
+		$_.Name.ToString().EndsWith(".dll")} | Select-Object -First 1).Count -gt 0) {
+		#jars containing dlls extract
+		Set-Location $jarExtractDir
+		Expand-Archive -Path $_.FullName
+
+	}
+	$jar.Dispose()
+}
+Set-Location $buildDir
+## Extract wixhelper.dll for Codesigning #see https://github.com/cryptomator/cryptomator/issues/3130
+if($jmodPaths -like "${env:JAVA_HOME}\jmods") {
+	$wixHelperDir = New-Item -Path ${AppName}/jpackage-jmod -ItemType Directory
+	& ${env:JAVA_HOME}\bin\jmod.exe extract --dir $wixHelperDir "${env:JAVA_HOME}\jmods\jdk.jpackage.jmod"
+	Get-ChildItem -Recurse -Path "$wixHelperDir" -File wixhelper.dll | Select-Object -Last 1 | Copy-Item -Destination "${AppName}/"
+}
+
+## prepare signtool
+Write-Output "Signing files in app dir $AppName..."
+$signTool = Get-ChildItem -Path "${Env:ProgramFiles(x86)}\Windows Kits\10\bin\" -Recurse -Filter "signtool.exe" | Where-Object FullName -like "*${archName}*" | Sort-Object LastWriteTime -Descending | Select-Object -First 1
+if ($null -eq $signTool) {
+	Write-Error "Unable to find signtool.exe in ${Env:ProgramFiles(x86)}\Windows Kits\10\bin\. Please ensure Windows SDK is installed."
+	exit 1
+}
+Write-Output "Using signtool: $($signTool.FullName)"
+Write-Output "Using signing certificate with thumbprint: $signingCertThumbprint"
+## sign files inside app dir
+$filesToSign = Get-ChildItem -Path $AppName -Recurse -File -Include "*.exe","*.dll","*.sys"
+
+foreach ($file in $filesToSign) {
+	& $signTool sign /as /sha1 $signingCertThumbprint /tr "http://timestamp.digicert.com" /td SHA256 /fd SHA256 /d "Cryptomator"  $file.FullName
+	if( $? -eq $false) {
+		Write-Error "Failed to sign file: $($file.FullName)"
+		exit 1
+	}
+}
+
+#TODO: Sign wixhelper.dll with signtool.exe
+#TODO: patch jar files with signed dlls
 
 # create .msi
 $Env:JP_WIXWIZARD_RESOURCES = "$buildDir\resources"
@@ -238,7 +285,7 @@ if ($LASTEXITCODE -ne 0) {
 }
 
 #Create RTF license for bundle
-&mvn -B -f $buildDir/../../pom.xml license:add-third-party `
+&mvn -B -f $buildDir/../../pom.xml license:add-third-party "-Djavafx.platform=win" `
  "-Dlicense.thirdPartyFilename=license.rtf" `
  "-Dlicense.fileTemplate=$buildDir\bundle\resources\licenseTemplate.ftl" `
  "-Dlicense.outputDirectory=$buildDir\bundle\resources\" `
@@ -250,7 +297,7 @@ if ($LASTEXITCODE -ne 0) {
 # download Winfsp
 $winfspMsiUrl= 'https://github.com/winfsp/winfsp/releases/download/v2.1/winfsp-2.1.25156.msi'
 $winfspMsiHash = '073A70E00F77423E34BED98B86E600DEF93393BA5822204FAC57A29324DB9F7A'
-Write-Host "Downloading ${winfspMsiUrl}..."
+Write-Output "Downloading ${winfspMsiUrl}..."
 Invoke-WebRequest $winfspMsiUrl -OutFile ".\bundle\resources\winfsp.msi" # redirects are followed by default
 $computedHash = $(Get-FileHash -Path '.\bundle\resources\winfsp.msi' -Algorithm SHA256).Hash
 if (! $computedHash.Equals($winfspMsiHash)) {
@@ -264,7 +311,7 @@ if (! $computedHash.Equals($winfspMsiHash)) {
 
 # download legacy-winfsp uninstaller
 $winfspUninstaller= 'https://github.com/cryptomator/winfsp-uninstaller/releases/latest/download/winfsp-uninstaller.exe'
-Write-Host "Downloading ${winfspUninstaller}..."
+Write-Output "Downloading ${winfspUninstaller}..."
 Invoke-WebRequest $winfspUninstaller -OutFile ".\bundle\resources\winfsp-uninstaller.exe" # redirects are followed by default
 
 # copy MSI to bundle resources
@@ -284,18 +331,4 @@ Copy-Item ".\installer\$AppName-*.msi" -Destination ".\bundle\resources\$AppName
     .\bundle\bundleWithWinfsp.wxs `
     -out "installer\$AppName-Installer.exe"
 
-Write-Host "Created EXE installer .\installer\$AppName-Installer.exe"
-return 0;
-}
-
-# ============================
-# Script Execution Starts Here
-# ============================
-if ($clean) {
-	Write-Host "Cleaning up previous build artifacts..."
-	Remove-Item -Path ".\runtime" -Force -Recurse -ErrorAction Ignore -ProgressAction SilentlyContinue
-	Remove-Item -Path ".\$AppName" -Force -Recurse -ErrorAction Ignore -ProgressAction SilentlyContinue
-	Remove-Item -Path ".\installer" -Force -Recurse -ErrorAction Ignore -ProgressAction SilentlyContinue
-}
-return Main
-
+Write-Output "Created EXE installer .\installer\$AppName-Installer.exe"

dist/win/bundle/bundleWithWinfsp.wxs

@@ -27,8 +27,6 @@
             <ns0:Payload Name="Cryptobot.ico" SourceFile="bundle\resources\Cryptomator.ico"/>
         </ns0:BootstrapperApplication>
 
-        <ns0:Variable Name="DISABLEUPDATECHECK" bal:Overridable="yes" Type="string" Value="false"/>
-
         <ns0:Chain>
             <ns0:ExePackage Cache="keep" PerMachine="yes" Permanent="no" SourceFile="bundle\resources\winfsp-uninstaller.exe" DisplayName="Removing outdated WinFsp Driver" Description="Executable to remove old winfsp" DetectCondition="false" InstallCondition="(InstalledLegacyWinFspVersion &lt;&gt; v0.0.0.0) AND ((WixBundleAction = 7) OR (WixBundleAction = 5))" UninstallArguments="">
                 <ns0:CommandLine Condition="WixBundleUILevel &lt;= 3" InstallArgument="-q -l &quot;[WixBundleLog].winfsp-uninstaller.log&quot;" RepairArgument="-q" UninstallArgument="-s" />
@@ -43,9 +41,7 @@ Do you want to continue?&quot;" RepairArgument="-q" UninstallArgument="-s" />
                 <ns0:ExitCode Behavior="forceReboot" Value="4" />
                 <ns0:ExitCode Behavior="success" Value="5" />
             </ns0:ExePackage>
-            <ns0:MsiPackage SourceFile="bundle\resources\Cryptomator.msi" CacheId="cryptomator-bundle-cryptomator" Visible="no">
-                <ns0:MsiProperty Name="DISABLEUPDATECHECK" Value="[DISABLEUPDATECHECK]"/>
-            </ns0:MsiPackage>
+            <ns0:MsiPackage SourceFile="bundle\resources\Cryptomator.msi" CacheId="cryptomator-bundle-cryptomator" Visible="no" />
             <ns0:MsiPackage SourceFile="bundle\resources\winfsp.msi" CacheId="cryptomator-bundle-winfsp" Visible="yes" Permanent="yes" />
         </ns0:Chain>
     </ns0:Bundle>

dist/win/contrib/disableUserConfig.bat

@@ -1,12 +0,0 @@
-@echo off
-:: Batch wrapper for PowerShell script to disable user configuration in Cryptomator
-:: This is executed as a Custom Action during MSI installation
-:: This file must be located in the INSTALLDIR
-
-:: Change to INSTALLDIR
-cd %~dp0
-:: Execute the PowerShell script
-powershell.exe -NoLogo -NoProfile -NonInteractive -ExecutionPolicy RemoteSigned -File ".\disableUserConfig.ps1"
-
-:: Return the exit code from PowerShell
-exit /b %ERRORLEVEL%

dist/win/contrib/disableUserConfig.ps1

@@ -1,24 +0,0 @@
-# PowerShell script to disable user configuration
-# This script is executed as a Custom Action during MSI installation
-# It deletes the file .package, effectively disabling user specific jpackage configuration.
-# NOTE: This file must be located in the same directory as set in the MSI property INSTALLDIR
-
-try {
-
-    # Determine  file path
-    $packageFile = Join-Path $PSScriptRoot 'app\.package'
-
-    #check if file exists
-    if (Test-Path -Path $packageFile) {
-        Write-Host "Deleting file: $packageFile"
-        Remove-Item -Path $packageFile -Force -ErrorAction Stop
-    } else {
-        Write-Host "File not found: $packageFile. Skipping deletion."
-    }
-
-    exit 0
-}
-catch {
-    Write-Error "Error deleting package file: $_"
-    exit 1
-}

dist/win/contrib/patchUpdateCheck.bat

@@ -1,18 +0,0 @@
-@echo off
-:: Batch wrapper for PowerShell script to modify Cryptomator update check settings
-:: This is executed as a Custom Action during MSI installation
-:: This file must be located in the INSTALLDIR
-
-set "DISABLEUPDATECHECK=%~1"
-
-:: Log for debugging
-echo DISABLEUPDATECHECK=%DISABLEUPDATECHECK%
-
-:: Change to INSTALLDIR
-cd %~dp0
-:: Execute the PowerShell script
-powershell.exe -NoLogo -NoProfile -NonInteractive -ExecutionPolicy RemoteSigned -File ".\patchUpdateCheck.ps1"^
- -DisableUpdateCheck "%DISABLEUPDATECHECK%"
-
-:: Return the exit code from PowerShell
-exit /b %ERRORLEVEL%

dist/win/contrib/patchUpdateCheck.ps1

@@ -1,58 +0,0 @@
-# PowerShell script to modify Cryptomator.cfg to set disableUpdateCheck property
-# This script is executed as a Custom Action during MSI installation
-# If the DisableUpdateCheck parameter is set to true, it disables the update check in Cryptomator by modifying the Cryptomator.cfg file.
-# NOTE: This file must be located in the same directory as set in the MSI property INSTALLDIR
-
-param(
-    [Parameter(Mandatory)][string]$DisableUpdateCheck
-)
-
-try {
-    # Log parameters for debugging (visible in MSI verbose logs)
-    Write-Host "DisableUpdateCheck: $DisableUpdateCheck"
-
-    # Parse DisableUpdateCheck value (handle various input formats)
-    $shouldDisable = $false
-    if ($DisableUpdateCheck) {
-        $DisableUpdateCheck = $DisableUpdateCheck.Trim().ToLower()
-        $shouldDisable = ($DisableUpdateCheck -eq 'true') -or ($DisableUpdateCheck -eq '1') -or ($DisableUpdateCheck -eq 'yes')
-    }
-
-    Write-Host "Setting cryptomator.disableUpdateCheck to: $shouldDisable"
-    if (-not $shouldDisable) {
-        Write-Host 'Disable-Update-Check property is by default "false". Skipping config modification.'
-        exit 0
-    }
-
-    # Determine the .cfg file path
-    $cfgDir = Join-Path $PSScriptRoot 'app'
-    $cfgFiles = Get-ChildItem -Path $cfgDir -Filter '*.cfg' -File
-
-    if ($cfgFiles.Count -eq 0) {
-        Write-Error "No .cfg file found in directory: $cfgDir"
-        exit 1
-    }
-
-    foreach ($file in $cfgFiles) {
-        $cfgFile = $file.FullName
-        Write-Host "Modifying configuration file: $cfgFile"
-        # Read the current configuration
-        $content = Get-Content $cfgFile -Raw -ErrorAction Stop
-
-        # Add the new option based on the property value
-        # Use regular expressions substitutions to replace the property
-        $searchExpression = '(?<Prefix>java-options=-Dcryptomator\.disableUpdateCheck)=false'
-        $replacementExpression = '${Prefix}=true'
-        $content = $content -replace $searchExpression,$replacementExpression
-
-        # Write the modified content back
-        Set-Content -Path $cfgFile -Value $content -NoNewline
-        Write-Host "Successfully updated $cfgFile"
-    }
-
-    exit 0
-}
-catch {
-    Write-Error "Error modifying configuration file: $_"
-    exit 1
-}

dist/win/contrib/patchWebDAV.bat

@@ -1,18 +1,7 @@
 @echo off
-:: Batch wrapper for PowerShell script to adjust Windows network settings for the Cryptomator WebDAVAdapter 
-:: This is executed as a Custom Action during MSI installation
-:: This file must be located in the INSTALLDIR
+:: Default values for Cryptomator builds
+::REPLACE ME
 
-set "LOOPBACK_ALIAS=%1"
-
-:: Log for debugging
-echo LOOPBACK_ALIAS=%LOOPBACK_ALIAS%
-
-:: Change to INSTALLDIR
 cd %~dp0
-:: Execute the PowerShell script
-powershell -NoLogo -NoProfile -NonInteractive -ExecutionPolicy RemoteSigned -File .\patchWebDAV.ps1^
- -LoopbackAlias %LOOPBACK_ALIAS%
-
-:: Return the exit code from PowerShell
-exit /b %ERRORLEVEL%
+powershell -NoLogo -NoProfile -NonInteractive -ExecutionPolicy RemoteSigned -Command .\patchWebDAV.ps1^
+ -LoopbackAlias %LOOPBACK_ALIAS%

dist/win/debug-launcher.properties

@@ -1,4 +1 @@
-win-console=true
-win-shortcut=false
-win-menu=false
-description=Debug Launcher with Console for Cryptomator
+win-console=true

dist/win/launcher.bat

@@ -0,0 +1,15 @@
+@echo off
+java ^
+	-p "mods" ^
+	-cp "libs/*" ^
+	-Dcryptomator.settingsPath="~/AppData/Roaming/Cryptomator/settings.json" ^
+	-Dcryptomator.ipcSocketPath="~/AppData/Roaming/Cryptomator/ipc.socket" ^
+	-Dcryptomator.logDir="~/AppData/Roaming/Cryptomator" ^
+	-Dcryptomator.mountPointsDir="~/Cryptomator" ^
+	-Dcryptomator.integrationsWin.keychainPaths="~/AppData/Roaming/Cryptomator/keychain.json" ^
+	-Dcryptomator.integrationsWin.windowsHelloKeychainPaths="~/AppData/Roaming/Cryptomator/windowsHelloKeychain.json" ^
+	-Xss20m ^
+	-Xmx512m ^
+	--enable-preview `
+	--enable-native-access=org.cryptomator.jfuse.win `
+	-m org.cryptomator.desktop/org.cryptomator.launcher.Cryptomator

dist/win/resources/main.wxs

@@ -26,7 +26,6 @@
   <?define IconFileEncryptedData= "Cryptomator-Vault.ico" ?>
   <?define ProgIdContentType= "application/vnd.cryptomator.encrypted" ?>
   <?define CloseApplicationTarget= "cryptomator.exe" ?>
-  <?define LoopbackAlias= "cryptomator-vault" ?>
 
   <?include $(var.JpConfigDir)/overrides.wxi ?>
 
@@ -87,37 +86,17 @@
 
     <!-- Non-Opening ProgID -->
     <ns0:DirectoryRef Id="INSTALLDIR">
-        <ns0:Component Bitness="always64" Id="nonStartingProgID">
+        <ns0:Component Bitness="always64" Id="nonStartingProgID" >
           <ns0:File Id="IconFileForEncryptedData" KeyPath="yes" Source="$(env.JP_WIXWIZARD_RESOURCES)\$(var.IconFileEncryptedData)" Name="$(var.IconFileEncryptedData)"/>
           <ns0:ProgId Id="$(var.JpAppName).Encrypted.1" Description="$(var.JpAppName) Encrypted Data" Icon="IconFileForEncryptedData" IconIndex="0">
             <ns0:Extension Id="c9r" Advertise="no" ContentType="$(var.ProgIdContentType)">
               <ns0:MIME ContentType="$(var.ProgIdContentType)" Default="yes"/>
             </ns0:Extension>
             <ns0:Extension Id="c9s" Advertise="no" ContentType="$(var.ProgIdContentType)"/>
-            <ns0:Extension Id="c9u" Advertise="no" ContentType="$(var.ProgIdContentType)"/>
           </ns0:ProgId>
         </ns0:Component>
     </ns0:DirectoryRef>
 
-    <ns0:StandardDirectory Id="CommonAppDataFolder">
-      <ns0:Directory Id="CryptomatorDesktopProgramData" Name="Cryptomator">
-        <ns0:Component Id="AdminConfigDir" Guid="c078b7da-ba6e-4069-a5ab-5c0f0f9856a0">
-          <ns0:CreateFolder>
-            <util:PermissionEx User="SYSTEM" GenericAll="yes"/>
-            <util:PermissionEx User="Administrators" GenericAll="yes"/>
-            <util:PermissionEx User="Users" GenericRead="yes" GenericExecute="yes"/>
-          </ns0:CreateFolder>
-        </ns0:Component>
-        <ns0:Component Id="AdminConfigFile" NeverOverwrite="yes" Permanent="yes">
-          <ns0:File Id="EmptyAdminConfig" Source="$(env.JP_WIXWIZARD_RESOURCES)\..\..\common\config.properties" Name="config.properties" KeyPath="yes">
-            <util:PermissionEx User="SYSTEM" GenericAll="yes"/>
-            <util:PermissionEx User="Administrators" GenericAll="yes"/>
-            <util:PermissionEx User="Users" GenericRead="yes" GenericExecute="yes"/>
-          </ns0:File>
-        </ns0:Component>
-      </ns0:Directory>
-    </ns0:StandardDirectory>
-
     <!-- Standard required root -->
 
     <ns0:Feature Id="DefaultFeature" Title="!(loc.MainFeatureTitle)" Level="1">
@@ -125,9 +104,7 @@
       <ns0:ComponentGroupRef Id="Files"/>
       <ns0:ComponentGroupRef Id="FileAssociations"/>
       <!-- Ref to additional ProgIDs -->
-      <ns0:ComponentRef Id="nonStartingProgID"/>
-      <ns0:ComponentRef Id="AdminConfigDir"/>
-      <ns0:ComponentRef Id="AdminConfigFile"/>
+      <ns0:ComponentRef Id="nonStartingProgID" />
     </ns0:Feature>
 
     <ns0:CustomAction Id="JpSetARPINSTALLLOCATION" Property="ARPINSTALLLOCATION" Value="[INSTALLDIR]" />
@@ -149,22 +126,10 @@
 
     <ns0:Property Id="WixQuietExec64CmdTimeout" Value="20" />
     <!-- Note for custom actions: Immediate CAs run BEFORE the files are installed, hence if you depend on installed files, the CAs must be deferred.-->
-
-    <!-- Property for controlling update check behavior (can be set via command line) -->
-    <ns0:Property Id="DISABLEUPDATECHECK" Secure="yes" />
-
-    <!-- Disable user config -->
-    <ns0:SetProperty Id="DisableUserConfig" Value="&quot;[INSTALLDIR]disableUserConfig.bat&quot;" Sequence="execute" Before="DisableUserConfig" />
-    <ns0:CustomAction Id="DisableUserConfig" BinaryRef="Wix4UtilCA_$(sys.BUILDARCHSHORT)" DllEntry="WixQuietExec" Execute="deferred" Return="ignore" Impersonate="no"/>
-
     <!-- WebDAV patches -->
-    <ns0:SetProperty Id="PatchWebDAV" Value="&quot;[INSTALLDIR]patchWebDAV.bat&quot; &quot;$(var.LoopbackAlias)&quot;" Sequence="execute" Before="PatchWebDAV" />
+    <ns0:SetProperty Id="PatchWebDAV" Value="&quot;[INSTALLDIR]patchWebDAV.bat&quot;" Sequence="execute" Before="PatchWebDAV" />
     <ns0:CustomAction Id="PatchWebDAV" BinaryRef="Wix4UtilCA_$(sys.BUILDARCHSHORT)" DllEntry="WixQuietExec" Execute="deferred" Return="ignore" Impersonate="no"/>
 
-    <!-- Update check configuration -->
-    <ns0:SetProperty Id="PatchUpdateCheck" Value="&quot;[INSTALLDIR]patchUpdateCheck.bat&quot; &quot;[DISABLEUPDATECHECK]&quot;" Sequence="execute" Before="PatchUpdateCheck" />
-    <ns0:CustomAction Id="PatchUpdateCheck" BinaryRef="Wix4UtilCA_$(sys.BUILDARCHSHORT)" DllEntry="WixQuietExec64" Execute="deferred" Return="ignore" Impersonate="no"/>
-
     <!-- Running App detection and exit -->
     <ns0:Property Id="FOUNDRUNNINGAPP" Admin="yes"/>
     <util:CloseApplication
@@ -213,12 +178,9 @@
       <ns0:Custom Action="FailOnRunningApp" After="Wix4CloseApplications_$(sys.BUILDARCHSHORT)" Condition="FOUNDRUNNINGAPP" />
 
       <ns0:RemoveExistingProducts After="InstallValidate"/> <!-- Moved from CostInitialize, due to Wix4CloseApplications_* -->
-      <ns0:Custom Action="DisableUserConfig" After="InstallFiles" Condition="NOT (Installed AND (NOT REINSTALL) AND (NOT UPGRADINGPRODUCTCODE) AND REMOVE)"/>
       <!-- Skip action on uninstall -->
       <!-- TODO: don't skip action, but remove cryptomator alias from hosts file -->
-      <ns0:Custom Action="PatchWebDAV" After="DisableUserConfig" Condition="NOT (Installed AND (NOT REINSTALL) AND (NOT UPGRADINGPRODUCTCODE) AND REMOVE)"/>
-      <!-- Configure update check setting if property is provided -->
-      <ns0:Custom Action="PatchUpdateCheck" After="PatchWebDAV" Condition="DISABLEUPDATECHECK AND NOT (Installed AND (NOT REINSTALL) AND (NOT UPGRADINGPRODUCTCODE) AND REMOVE)"/>
+      <ns0:Custom Action="PatchWebDAV" After="InstallFiles" Condition="NOT (Installed AND (NOT REINSTALL) AND (NOT UPGRADINGPRODUCTCODE) AND REMOVE)"/>
     </ns0:InstallExecuteSequence>
 
     <ns0:InstallUISequence>

dist/win/resources/overrides.wxi

@@ -41,7 +41,7 @@ Media Type of the encrypted data files. Default is "application/vnd.cryptomator.
 
 Close Application settings:
 - CloseApplicationTarget
-Full name of executable to be checked in the close application util. Default is "cryptomator.exe"
+Full name of executable to be checkd in the close application util. Default is "cryptomator.exe"
 
 Legacy Installation settings:
 - SkipCryptomatorLegacyCheck

license/merges

@@ -1,6 +1,6 @@
-Apache License v2.0|Apache License, Version 2.0|The Apache License, Version 2.0|The Apache Software License, Version 2.0|Apache 2.0|Apache Software License - Version 2.0|Apache-2.0
-MIT License|MIT|The MIT License (MIT)|The MIT License|MIT license
-LGPL 2.1|LGPL, version 2.1|GNU Lesser/Library General Public License version 2|GNU Lesser General Public License Version 2.1|GNU Lesser General Public License
+Apache License v2.0|Apache License, Version 2.0|The Apache Software License, Version 2.0|Apache 2.0|Apache Software License - Version 2.0|Apache-2.0
+MIT License|The MIT License (MIT)|The MIT License|MIT license
+LGPL 2.1|LGPL, version 2.1|GNU Lesser/Library General Public License version 2|GNU Lesser General Public License Version 2.1
 GPLv2|GNU General Public License Version 2
 GPLv2+CE|CDDL + GPLv2 with classpath exception
 Eclipse Public License - Version 1.0|Eclipse Public License - v 1.0

pom.xml

@@ -3,7 +3,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>org.cryptomator</groupId>
 	<artifactId>cryptomator</artifactId>
-	<version>1.19.2</version>
+	<version>1.18.0-SNAPSHOT</version>
 	<name>Cryptomator Desktop App</name>
 
 	<organization>
@@ -26,83 +26,72 @@
 
 	<properties>
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-		<project.jdk.version>25</project.jdk.version>
+		<project.jdk.version>24</project.jdk.version>
 
 		<!-- Group IDs of jars that need to stay on the class path for now -->
 		<!-- remove them, as soon they got modularized or support is dropped (i.e., WebDAV) -->
 		<nonModularGroupIds>org.ow2.asm,org.apache.jackrabbit,org.apache.httpcomponents</nonModularGroupIds>
 
 		<!-- cryptomator dependencies -->
-		<cryptomator.cryptofs.version>2.10.0</cryptomator.cryptofs.version>
-		<cryptomator.cryptolib.version>2.2.2</cryptomator.cryptolib.version>
-		<cryptomator.integrations.version>1.8.0</cryptomator.integrations.version>
-		<cryptomator.integrations.win.version>1.6.0</cryptomator.integrations.win.version>
-		<cryptomator.integrations.mac.version>1.5.0</cryptomator.integrations.mac.version>
-		<cryptomator.integrations.linux.version>1.7.0</cryptomator.integrations.linux.version>
-		<cryptomator.fuse.version>6.0.1</cryptomator.fuse.version>
-		<cryptomator.webdav.version>3.0.1</cryptomator.webdav.version>
-		<cryptomator.webdav-servlet.version>1.2.12</cryptomator.webdav-servlet.version>
+		<cryptomator.cryptofs.version>2.9.0</cryptomator.cryptofs.version>
+		<cryptomator.integrations.version>1.6.0</cryptomator.integrations.version>
+		<cryptomator.integrations.win.version>1.5.0</cryptomator.integrations.win.version>
+		<cryptomator.integrations.mac.version>1.4.0</cryptomator.integrations.mac.version>
+		<cryptomator.integrations.linux.version>1.6.0</cryptomator.integrations.linux.version>
+		<cryptomator.fuse.version>5.0.5</cryptomator.fuse.version>
+		<cryptomator.webdav.version>2.0.10</cryptomator.webdav.version>
 
 		<!-- 3rd party dependencies -->
-		<caffeine.version>3.2.3</caffeine.version>
-		<commons-lang3.version>3.20.0</commons-lang3.version>
-		<dagger.version>2.59.2</dagger.version>
+		<commons-lang3.version>3.17.0</commons-lang3.version>
+		<dagger.version>2.56.2</dagger.version>
 		<easybind.version>2.2</easybind.version>
-		<jackson.version>2.21.1</jackson.version>
-		<javafx.version>25.0.2</javafx.version>
-		<jwt.version>4.5.1</jwt.version>
-		<nimbus-jose.version>10.5</nimbus-jose.version>
-		<logback.version>1.5.32</logback.version>
+		<jackson.version>2.19.1</jackson.version>
+		<javafx.version>24.0.1</javafx.version>
+		<jwt.version>4.5.0</jwt.version>
+		<nimbus-jose.version>9.37.3</nimbus-jose.version>
+		<logback.version>1.5.18</logback.version>
 		<slf4j.version>2.0.17</slf4j.version>
 		<tinyoauth2.version>0.8.1</tinyoauth2.version>
 		<zxcvbn.version>1.9.0</zxcvbn.version>
 
 		<!-- test dependencies -->
-		<junit.jupiter.version>6.0.3</junit.jupiter.version>
-		<mockito.version>5.22.0</mockito.version>
+		<junit.jupiter.version>5.13.1</junit.jupiter.version>
+		<mockito.version>5.18.0</mockito.version>
 		<hamcrest.version>3.0</hamcrest.version>
 
 		<!-- build-time dependencies -->
-		<jetbrains.annotations.version>26.1.0</jetbrains.annotations.version>
-		<dependency-check.version>12.2.0</dependency-check.version>
-		<jacoco.version>0.8.14</jacoco.version>
-		<license-generator.version>2.7.1</license-generator.version>
-		<junit-tree-reporter.version>1.5.1</junit-tree-reporter.version>
-		<mvn-compiler.version>3.15.0</mvn-compiler.version>
-		<mvn-resources.version>3.5.0</mvn-resources.version>
-		<mvn-dependency.version>3.10.0</mvn-dependency.version>
+		<jetbrains.annotations.version>26.0.2</jetbrains.annotations.version>
+		<dependency-check.version>12.1.3</dependency-check.version>
+		<jacoco.version>0.8.13</jacoco.version>
+		<license-generator.version>2.5.0</license-generator.version>
+		<junit-tree-reporter.version>1.4.0</junit-tree-reporter.version>
+		<mvn-compiler.version>3.14.0</mvn-compiler.version>
+		<mvn-resources.version>3.3.1</mvn-resources.version>
+		<mvn-dependency.version>3.8.1</mvn-dependency.version>
 		<mvn-surefire.version>3.5.3</mvn-surefire.version>
-		<mvn-jar.version>3.5.0</mvn-jar.version>
+		<mvn-jar.version>3.4.2</mvn-jar.version>
 
 		<!-- Property used by surefire to determine jacoco engine -->
 		<surefire.jacoco.args></surefire.jacoco.args>
 	</properties>
 
-	<repositories>
-		<repository>
-			<name>Central Portal Snapshots</name>
-			<id>central-portal-snapshots</id>
-			<url>https://central.sonatype.com/repository/maven-snapshots/</url>
-			<releases>
-				<enabled>false</enabled>
-			</releases>
-			<snapshots>
-				<enabled>true</enabled>
-			</snapshots>
-		</repository>
-	</repositories>
+	<!-- TODO: Remove once webdav version 2.0.11 is released -->
+	<dependencyManagement>
+		<dependencies>
+			<dependency>
+				<groupId>org.cryptomator</groupId>
+				<artifactId>webdav-nio-adapter-servlet</artifactId>
+				<version>1.2.9</version>
+			</dependency>
+		</dependencies>
+	</dependencyManagement>
 
 	<dependencies>
 		<!-- Cryptomator Libs -->
-		<dependency>
-			<groupId>org.cryptomator</groupId>
-			<artifactId>webdav-nio-adapter-servlet</artifactId>
-			<version>${cryptomator.webdav-servlet.version}</version>
-		</dependency>
 		<dependency>
 			<groupId>org.cryptomator</groupId>
 			<artifactId>cryptolib</artifactId>
-			<version>${cryptomator.cryptolib.version}</version>
+			<version>2.2.1</version>
 		</dependency>
 		<dependency>
 			<groupId>org.cryptomator</groupId>
@@ -236,7 +225,7 @@
 		<dependency>
 			<groupId>com.github.ben-manes.caffeine</groupId>
 			<artifactId>caffeine</artifactId>
-			<version>${caffeine.version}</version>
+			<version>3.2.1</version>
 		</dependency>
 		<!-- JUnit / Mockito / Hamcrest -->
 		<dependency>
@@ -266,7 +255,7 @@
 		<dependency>
 			<groupId>com.google.jimfs</groupId>
 			<artifactId>jimfs</artifactId>
-			<version>1.3.1</version>
+			<version>1.3.0</version>
 			<scope>test</scope>
 		</dependency>
 
@@ -338,6 +327,7 @@
 					</annotationProcessorPaths>
 					<compilerArgs>
 						<arg>-Adagger.fastInit=enabled</arg>
+						<arg>-Adagger.formatGeneratedSource=enabled</arg>
 					</compilerArgs>
 				</configuration>
 			</plugin>

src/main/java/module-info.java

@@ -1,4 +1,5 @@
 import ch.qos.logback.classic.spi.Configurator;
+import org.cryptomator.networking.SSLContextWithPKCS12TrustStore;
 import org.cryptomator.common.locationpresets.DropboxLinuxLocationPresetsProvider;
 import org.cryptomator.common.locationpresets.DropboxMacLocationPresetsProvider;
 import org.cryptomator.common.locationpresets.DropboxWindowsLocationPresetsProvider;
@@ -13,16 +14,11 @@ import org.cryptomator.common.locationpresets.OneDriveLinuxLocationPresetsProvid
 import org.cryptomator.common.locationpresets.OneDriveMacLocationPresetsProvider;
 import org.cryptomator.common.locationpresets.OneDriveWindowsLocationPresetsProvider;
 import org.cryptomator.common.locationpresets.PCloudLocationPresetsProvider;
-import org.cryptomator.integrations.revealpath.RevealPathService;
-import org.cryptomator.integrations.tray.TrayMenuController;
-import org.cryptomator.integrations.uiappearance.UiAppearanceProvider;
-import org.cryptomator.logging.LogbackConfiguratorFactory;
-import org.cryptomator.networking.SSLContextProvider;
 import org.cryptomator.networking.SSLContextWithMacKeychain;
-import org.cryptomator.networking.SSLContextWithPKCS12TrustStore;
+import org.cryptomator.networking.SSLContextProvider;
 import org.cryptomator.networking.SSLContextWithWindowsCertStore;
-import org.cryptomator.ui.fxapp.JfxRevealPathService;
-import org.cryptomator.ui.fxapp.JfxUiAppearanceProvider;
+import org.cryptomator.integrations.tray.TrayMenuController;
+import org.cryptomator.logging.LogbackConfiguratorFactory;
 import org.cryptomator.ui.traymenu.AwtTrayMenuController;
 
 open module org.cryptomator.desktop {
@@ -54,19 +50,17 @@ open module org.cryptomator.desktop {
 	requires io.github.coffeelibs.tinyoauth2client;
 	requires org.slf4j;
 	requires org.apache.commons.lang3;
-	requires com.github.benmanes.caffeine;
 
 	/* dagger bs */
 	requires jakarta.inject;
 	requires static javax.inject;
 	requires java.compiler;
+	requires com.github.benmanes.caffeine;
 
 	uses org.cryptomator.common.locationpresets.LocationPresetsProvider;
 	uses SSLContextProvider;
 	uses org.cryptomator.event.NotificationHandler;
 
-	provides UiAppearanceProvider with JfxUiAppearanceProvider;
-	provides RevealPathService with JfxRevealPathService;
 	provides TrayMenuController with AwtTrayMenuController;
 	provides Configurator with LogbackConfiguratorFactory;
 	provides SSLContextProvider with SSLContextWithWindowsCertStore, SSLContextWithMacKeychain, SSLContextWithPKCS12TrustStore;

src/main/java/org/cryptomator/common/CommonsModule.java

@@ -22,6 +22,8 @@ import javax.inject.Named;
 import javax.inject.Singleton;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
+import java.util.Comparator;
+import java.util.Optional;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.ScheduledExecutorService;
 import java.util.concurrent.SynchronousQueue;
@@ -74,8 +76,15 @@ public abstract class CommonsModule {
 
 	@Provides
 	@Singleton
-	static RevealPathService provideRevealPathService() {
-		return RevealPathService.get().findFirst().orElseThrow();
+	@Named("SemVer")
+	static Comparator<String> providesSemVerComparator() {
+		return new SemVerComparator();
+	}
+
+	@Provides
+	@Singleton
+	static Optional<RevealPathService> provideRevealPathService() {
+		return RevealPathService.get().findFirst();
 	}
 
 

src/main/java/org/cryptomator/common/Constants.java

@@ -13,7 +13,5 @@ public interface Constants {
 	String CRYPTOMATOR_FILENAME_GLOB = "*.cryptomator";
 	URI DEFAULT_KEY_ID = URI.create(MasterkeyFileLoadingStrategy.SCHEME + ":" + MASTERKEY_FILENAME);
 	byte[] PEPPER = new byte[0];
-	// Separator used to concatenate Hub username and device name in the filesystem owner identifier.
-	String HUB_USER_DEVICE_SEPARATOR = "&";
 
 }

src/main/java/org/cryptomator/common/Environment.java

@@ -9,13 +9,10 @@ import org.slf4j.LoggerFactory;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
-import java.util.Arrays;
 import java.util.Optional;
-import java.util.Set;
 import java.util.Spliterator;
 import java.util.Spliterators;
 import java.util.function.Predicate;
-import java.util.stream.Collectors;
 import java.util.stream.Stream;
 import java.util.stream.StreamSupport;
 
@@ -23,22 +20,20 @@ public class Environment {
 
 	private static final Logger LOG = LoggerFactory.getLogger(Environment.class);
 	private static final int DEFAULT_MIN_PW_LENGTH = 8;
-	public static final String SETTINGS_PATH_PROP_NAME = "cryptomator.settingsPath";
-	public static final String IPC_SOCKET_PATH_PROP_NAME = "cryptomator.ipcSocketPath";
-	public static final String KEYCHAIN_PATHS_PROP_NAME = "cryptomator.integrationsWin.keychainPaths";
-	public static final String WINDOWS_HELLO_KEYCHAIN_PATHS_PROP_NAME = "cryptomator.integrationsWin.windowsHelloKeychainPaths";
-	public static final String P12_PATH_PROP_NAME = "cryptomator.p12Path";
-	public static final String LOG_DIR_PROP_NAME = "cryptomator.logDir";
-	public static final String LOOPBACK_ALIAS_PROP_NAME = "cryptomator.loopbackAlias";
-	public static final String MOUNTPOINT_DIR_PROP_NAME = "cryptomator.mountPointsDir";
-	public static final String MIN_PW_LENGTH_PROP_NAME = "cryptomator.minPwLength";
-	public static final String APP_VERSION_PROP_NAME = "cryptomator.appVersion";
-	public static final String BUILD_NUMBER_PROP_NAME = "cryptomator.buildNumber";
-	public static final String PLUGIN_DIR_PROP_NAME = "cryptomator.pluginDir";
-	public static final String TRAY_ICON_PROP_NAME = "cryptomator.showTrayIcon";
-	public static final String DISABLE_UPDATE_CHECK_PROP_NAME = "cryptomator.disableUpdateCheck";
-	public static final String HUB_ALLOWED_HOSTS_PROP_NAME = "cryptomator.hub.allowedHosts";
-	public static final String HUB_TOFU_PROP_NAME = "cryptomator.hub.enableTrustOnFirstUse";
+	private static final String SETTINGS_PATH_PROP_NAME = "cryptomator.settingsPath";
+	private static final String IPC_SOCKET_PATH_PROP_NAME = "cryptomator.ipcSocketPath";
+	private static final String KEYCHAIN_PATHS_PROP_NAME = "cryptomator.integrationsWin.keychainPaths";
+	private static final String WINDOWS_HELLO_KEYCHAIN_PATHS_PROP_NAME = "cryptomator.integrationsWin.windowsHelloKeychainPaths";
+	private static final String P12_PATH_PROP_NAME = "cryptomator.p12Path";
+	private static final String LOG_DIR_PROP_NAME = "cryptomator.logDir";
+	private static final String LOOPBACK_ALIAS_PROP_NAME = "cryptomator.loopbackAlias";
+	private static final String MOUNTPOINT_DIR_PROP_NAME = "cryptomator.mountPointsDir";
+	private static final String MIN_PW_LENGTH_PROP_NAME = "cryptomator.minPwLength";
+	private static final String APP_VERSION_PROP_NAME = "cryptomator.appVersion";
+	private static final String BUILD_NUMBER_PROP_NAME = "cryptomator.buildNumber";
+	private static final String PLUGIN_DIR_PROP_NAME = "cryptomator.pluginDir";
+	private static final String TRAY_ICON_PROP_NAME = "cryptomator.showTrayIcon";
+	private static final String DISABLE_UPDATE_CHECK_PROP_NAME = "cryptomator.disableUpdateCheck";
 
 	private Environment() {}
 
@@ -62,8 +57,6 @@ public class Environment {
 		logCryptomatorSystemProperty(PLUGIN_DIR_PROP_NAME);
 		logCryptomatorSystemProperty(TRAY_ICON_PROP_NAME);
 		logCryptomatorSystemProperty(DISABLE_UPDATE_CHECK_PROP_NAME);
-		logCryptomatorSystemProperty(HUB_ALLOWED_HOSTS_PROP_NAME);
-		logCryptomatorSystemProperty(HUB_TOFU_PROP_NAME);
 	}
 
 	public static Environment getInstance() {
@@ -131,15 +124,6 @@ public class Environment {
 		return Optional.ofNullable(System.getProperty(BUILD_NUMBER_PROP_NAME));
 	}
 
-	/**
-	 * Returns the app version concatenated with the build number (if defined).
-	 *
-	 * @return version string formatted like {@code 1.2.3-4567} or {@code 1.2.3} if no build number is defined.
-	 */
-	public String getAppVersionWithBuildNumber() {
-		return getAppVersion() + getBuildNumber().map("-"::concat).orElse("");
-	}
-
 	public Optional<Path> getPluginDir() {
 		return getPath(PLUGIN_DIR_PROP_NAME);
 	}
@@ -152,18 +136,6 @@ public class Environment {
 		return Boolean.getBoolean(DISABLE_UPDATE_CHECK_PROP_NAME);
 	}
 
-	public Set<String> hubAllowedHosts() {
-		var allowedHubHostsString = System.getProperty(HUB_ALLOWED_HOSTS_PROP_NAME, "");
-		return Arrays.stream(allowedHubHostsString.split(","))
-				.map(String::trim)
-				.filter(Predicate.not(String::isEmpty))
-				.collect(Collectors.toUnmodifiableSet());
-	}
-
-	public boolean hubTrustOnFirstUse() {
-		return Boolean.getBoolean(HUB_TOFU_PROP_NAME);
-	}
-
 	private Optional<Path> getPath(String propertyName) {
 		String value = System.getProperty(propertyName);
 		return Optional.ofNullable(value).map(Paths::get);

src/main/java/org/cryptomator/common/EventMap.java

@@ -0,0 +1,160 @@
+package org.cryptomator.common;
+
+import org.cryptomator.cryptofs.event.BrokenDirFileEvent;
+import org.cryptomator.cryptofs.event.BrokenFileNodeEvent;
+import org.cryptomator.cryptofs.event.ConflictResolutionFailedEvent;
+import org.cryptomator.cryptofs.event.ConflictResolvedEvent;
+import org.cryptomator.cryptofs.event.DecryptionFailedEvent;
+import org.cryptomator.cryptofs.event.FilesystemEvent;
+import org.cryptomator.event.VaultEvent;
+import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
+
+import javax.inject.Inject;
+import javax.inject.Singleton;
+import javafx.beans.InvalidationListener;
+import javafx.collections.FXCollections;
+import javafx.collections.MapChangeListener;
+import javafx.collections.ObservableMap;
+import java.nio.file.Path;
+import java.util.Collection;
+import java.util.Comparator;
+import java.util.Map;
+import java.util.Set;
+
+/**
+ * Map containing {@link VaultEvent}s.
+ * The map is keyed by the ciphertext path of the affected resource _and_ the {@link FilesystemEvent}s class in order to group same events
+ * <p>
+ * Use {@link EventMap#put(VaultEvent)} to add an element and {@link EventMap#remove(VaultEvent)} to remove it.
+ * <p>
+ * The map is size restricted to {@value MAX_SIZE} elements. If a _new_ element (i.e. not already present) is added, the least recently added is removed.
+ */
+@Singleton
+public class EventMap implements ObservableMap<EventMap.EventKey, VaultEvent> {
+
+	private static final int MAX_SIZE = 300;
+
+	public record EventKey(Path ciphertextPath, Class<? extends FilesystemEvent> c) {}
+
+	private final ObservableMap<EventMap.EventKey, VaultEvent> delegate;
+
+	@Inject
+	public EventMap() {
+		delegate = FXCollections.observableHashMap();
+	}
+
+	@Override
+	public void addListener(MapChangeListener<? super EventKey, ? super VaultEvent> mapChangeListener) {
+		delegate.addListener(mapChangeListener);
+	}
+
+	@Override
+	public void removeListener(MapChangeListener<? super EventKey, ? super VaultEvent> mapChangeListener) {
+		delegate.removeListener(mapChangeListener);
+	}
+
+	@Override
+	public int size() {
+		return delegate.size();
+	}
+
+	@Override
+	public boolean isEmpty() {
+		return delegate.isEmpty();
+	}
+
+	@Override
+	public boolean containsKey(Object key) {
+		return delegate.containsKey(key);
+	}
+
+	@Override
+	public boolean containsValue(Object value) {
+		return delegate.containsValue(value);
+	}
+
+	@Override
+	public VaultEvent get(Object key) {
+		return delegate.get(key);
+	}
+
+	@Override
+	public @Nullable VaultEvent put(EventKey key, VaultEvent value) {
+		return delegate.put(key, value);
+	}
+
+	@Override
+	public VaultEvent remove(Object key) {
+		return delegate.remove(key);
+	}
+
+	@Override
+	public void putAll(@NotNull Map<? extends EventKey, ? extends VaultEvent> m) {
+		delegate.putAll(m);
+	}
+
+	@Override
+	public void clear() {
+		delegate.clear();
+	}
+
+	@Override
+	public @NotNull Set<EventKey> keySet() {
+		return delegate.keySet();
+	}
+
+	@Override
+	public @NotNull Collection<VaultEvent> values() {
+		return delegate.values();
+	}
+
+	@Override
+	public @NotNull Set<Entry<EventKey, VaultEvent>> entrySet() {
+		return delegate.entrySet();
+	}
+
+	@Override
+	public void addListener(InvalidationListener invalidationListener) {
+		delegate.addListener(invalidationListener);
+	}
+
+	@Override
+	public void removeListener(InvalidationListener invalidationListener) {
+		delegate.removeListener(invalidationListener);
+	}
+
+	public synchronized void put(VaultEvent e) {
+		//compute key
+		var key = computeKey(e.actualEvent());
+		//if-else
+		var nullOrEntry = delegate.get(key);
+		if (nullOrEntry == null) {
+			if (size() == MAX_SIZE) {
+				delegate.entrySet().stream() //
+						.min(Comparator.comparing(entry -> entry.getValue().actualEvent().getTimestamp())) //
+						.ifPresent(oldestEntry -> delegate.remove(oldestEntry.getKey()));
+			}
+			delegate.put(key, e);
+		} else {
+			delegate.put(key, nullOrEntry.incrementCount(e.actualEvent()));
+		}
+	}
+
+	public synchronized VaultEvent remove(VaultEvent similar) {
+		//compute key
+		var key = computeKey(similar.actualEvent());
+		return this.remove(key);
+	}
+
+	private EventKey computeKey(FilesystemEvent e) {
+		var p = switch (e) {
+			case DecryptionFailedEvent(_, Path ciphertextPath, _) -> ciphertextPath;
+			case ConflictResolvedEvent(_, _, _, _, Path resolvedCiphertext) -> resolvedCiphertext;
+			case ConflictResolutionFailedEvent(_, _, Path conflictingCiphertext, _) -> conflictingCiphertext;
+			case BrokenDirFileEvent(_, Path ciphertext) -> ciphertext;
+			case BrokenFileNodeEvent(_, _, Path ciphertext) -> ciphertext;
+		};
+		return new EventKey(p, e.getClass());
+	}
+}

src/main/java/org/cryptomator/common/FilesystemOwnerSupplier.java

@@ -1,18 +0,0 @@
-package org.cryptomator.common;
-
-import java.util.function.Supplier;
-
-/**
- * Interface marking a class to be used in {@link org.cryptomator.cryptofs.CryptoFileSystemProperties.Builder#withOwnerGetter(Supplier)}.
- */
-@FunctionalInterface
-public interface FilesystemOwnerSupplier {
-
-	/**
-	 * Get the filesystem owner.
-	 *
-	 * @return the filesystem owner
-	 */
-	String getOwner();
-
-}

src/main/java/org/cryptomator/common/SemVerComparator.java

@@ -0,0 +1,81 @@
+/*******************************************************************************
+ * Copyright (c) 2016, 2017 Sebastian Stenzel and others.
+ * All rights reserved.
+ * This program and the accompanying materials are made available under the terms of the accompanying LICENSE file.
+ *
+ * Contributors:
+ *     Sebastian Stenzel - initial API and implementation
+ *******************************************************************************/
+package org.cryptomator.common;
+
+import org.apache.commons.lang3.StringUtils;
+
+import java.util.Comparator;
+
+/**
+ * Compares version strings according to <a href="http://semver.org/spec/v2.0.0.html">SemVer 2.0.0</a>.
+ */
+public class SemVerComparator implements Comparator<String> {
+
+	private static final char VERSION_SEP = '.'; // http://semver.org/spec/v2.0.0.html#spec-item-2
+	private static final String PRE_RELEASE_SEP = "-"; // http://semver.org/spec/v2.0.0.html#spec-item-9
+	private static final String BUILD_SEP = "+"; // http://semver.org/spec/v2.0.0.html#spec-item-10
+
+	@Override
+	public int compare(String version1, String version2) {
+		// "Build metadata SHOULD be ignored when determining version precedence.
+		// Thus two versions that differ only in the build metadata, have the same precedence."
+		String v1WithoutBuildMetadata = StringUtils.substringBefore(version1, BUILD_SEP);
+		String v2WithoutBuildMetadata = StringUtils.substringBefore(version2, BUILD_SEP);
+
+		if (v1WithoutBuildMetadata.equals(v2WithoutBuildMetadata)) {
+			return 0;
+		}
+
+		String v1MajorMinorPatch = StringUtils.substringBefore(v1WithoutBuildMetadata, PRE_RELEASE_SEP);
+		String v2MajorMinorPatch = StringUtils.substringBefore(v2WithoutBuildMetadata, PRE_RELEASE_SEP);
+		String v1PreReleaseVersion = StringUtils.substringAfter(v1WithoutBuildMetadata, PRE_RELEASE_SEP);
+		String v2PreReleaseVersion = StringUtils.substringAfter(v2WithoutBuildMetadata, PRE_RELEASE_SEP);
+		return compare(v1MajorMinorPatch, v1PreReleaseVersion, v2MajorMinorPatch, v2PreReleaseVersion);
+	}
+
+	private int compare(String v1MajorMinorPatch, String v1PreReleaseVersion, String v2MajorMinorPatch, String v2PreReleaseVersion) {
+		int comparisonResult = compareNumericallyThenLexicographically(v1MajorMinorPatch, v2MajorMinorPatch);
+		if (comparisonResult == 0) {
+			if (v1PreReleaseVersion.isEmpty()) {
+				return 1; // 1.0.0 > 1.0.0-BETA
+			} else if (v2PreReleaseVersion.isEmpty()) {
+				return -1; // 1.0.0-BETA < 1.0.0
+			} else {
+				return compareNumericallyThenLexicographically(v1PreReleaseVersion, v2PreReleaseVersion);
+			}
+		} else {
+			return comparisonResult;
+		}
+	}
+
+	private int compareNumericallyThenLexicographically(String version1, String version2) {
+		final String[] vComps1 = StringUtils.split(version1, VERSION_SEP);
+		final String[] vComps2 = StringUtils.split(version2, VERSION_SEP);
+		final int commonCompCount = Math.min(vComps1.length, vComps2.length);
+
+		for (int i = 0; i < commonCompCount; i++) {
+			int subversionComparisonResult = 0;
+			try {
+				final int v1 = Integer.parseInt(vComps1[i]);
+				final int v2 = Integer.parseInt(vComps2[i]);
+				subversionComparisonResult = v1 - v2;
+			} catch (NumberFormatException ex) {
+				// ok, lets compare this fragment lexicographically
+				subversionComparisonResult = vComps1[i].compareTo(vComps2[i]);
+			}
+			if (subversionComparisonResult != 0) {
+				return subversionComparisonResult;
+			}
+		}
+
+		// all in common so far? longest version string is considered the higher version:
+		return vComps1.length - vComps2.length;
+	}
+
+}

src/main/java/org/cryptomator/common/SubstitutingProperties.java

@@ -1,7 +1,7 @@
 package org.cryptomator.common;
 
 import org.jetbrains.annotations.VisibleForTesting;
-import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import java.util.Map;
 import java.util.Properties;
@@ -13,12 +13,10 @@ public class SubstitutingProperties extends PropertiesDecorator {
 	private static final Pattern TEMPLATE = Pattern.compile("@\\{(\\w+)}");
 
 	private final Map<String, String> env;
-	private final Logger logger;
 
-	public SubstitutingProperties(Properties props, Map<String, String> systemEnvironment, Logger logger) {
+	public SubstitutingProperties(Properties props, Map<String, String> systemEnvironment) {
 		super(props);
 		this.env = systemEnvironment;
-		this.logger = logger;
 	}
 
 	@Override
@@ -46,7 +44,7 @@ public class SubstitutingProperties extends PropertiesDecorator {
 					case "localappdata" -> resolveFrom("LOCALAPPDATA", Source.ENV);
 					case "userhome" -> resolveFrom("user.home", Source.PROPS);
 					default -> {
-						logger.warn("Unknown variable {} in property value {}.", match.group(), value);
+						LoggerFactory.getLogger(SubstitutingProperties.class).warn("Unknown variable {} in property value {}.", match.group(), value);
 						yield match.group();
 					}
 				});
@@ -58,7 +56,7 @@ public class SubstitutingProperties extends PropertiesDecorator {
 			case PROPS -> delegate.getProperty(key);
 		};
 		if (val == null) {
-			logger.warn("Variable {} used for substitution not found in {}. Replaced with empty string.", key, src);
+			LoggerFactory.getLogger(SubstitutingProperties.class).warn("Variable {} used for substitution not found in {}. Replaced with empty string.", key, src);
 			return "";
 		} else {
 			return Matcher.quoteReplacement(val);

src/main/java/org/cryptomator/common/mount/Mounter.java

@@ -167,7 +167,6 @@ public class Mounter {
 		usedMountServices.add(mountService);
 
 		var builder = mountService.forFileSystem(cryptoFsRoot);
-		LOG.debug("Using mount service {} for mounting vault {}", mountService.getClass().getName(), vaultSettings.displayName);
 		var internal = new SettledMounter(mountService, builder, vaultSettings); // FIXME: no need for an inner class
 		var cleanup = internal.prepare();
 		return new MountHandle(builder.mount(), mountService.hasCapability(UNMOUNT_FORCED), cleanup);

src/main/java/org/cryptomator/common/recovery/BackupRestorer.java

@@ -1,53 +0,0 @@
-package org.cryptomator.common.recovery;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import java.io.IOException;
-import java.nio.file.Path;
-import java.nio.file.Files;
-import java.nio.file.StandardCopyOption;
-import java.nio.file.attribute.FileTime;
-import java.util.stream.Stream;
-
-import static org.cryptomator.common.Constants.MASTERKEY_BACKUP_SUFFIX;
-
-public final class BackupRestorer {
-
-	private static final Logger LOG = LoggerFactory.getLogger(BackupRestorer.class);
-
-	private BackupRestorer() {}
-
-	public static void restoreIfBackupPresent(Path vaultPath, String filePrefix) {
-		Path targetFile = vaultPath.resolve(filePrefix);
-
-		try (Stream<Path> files = Files.list(vaultPath)) {
-			files.filter(file -> isFileMatchingPattern(file.getFileName().toString(), filePrefix))
-					.max((f1, f2) -> {
-						try {
-							FileTime time1 = Files.getLastModifiedTime(f1);
-							FileTime time2 = Files.getLastModifiedTime(f2);
-							return time1.compareTo(time2);
-						} catch (IOException e) {
-							return 0;
-						}
-					})
-					.ifPresent(backupFile -> copyBackupFile(backupFile, targetFile));
-		} catch (IOException e) {
-			LOG.info("Unable to restore backup files in '{}'", vaultPath, e);
-		}
-	}
-
-	private static boolean isFileMatchingPattern(String fileName, String filePrefix) {
-		return fileName.startsWith(filePrefix) && fileName.endsWith(MASTERKEY_BACKUP_SUFFIX);
-	}
-
-	private static void copyBackupFile(Path backupFile, Path configPath) {
-		try {
-			Files.copy(backupFile, configPath, StandardCopyOption.REPLACE_EXISTING);
-			LOG.debug("Backup restored - file: '{}'  path: '{}'", backupFile, configPath);
-		} catch (IOException e) {
-			LOG.warn("Unable to copy backup file from '{}' to '{}'", backupFile, configPath, e);
-		}
-	}
-}

src/main/java/org/cryptomator/common/recovery/CryptoFsInitializer.java

@@ -1,33 +0,0 @@
-package org.cryptomator.common.recovery;
-
-import java.io.IOException;
-import java.nio.file.Path;
-
-import org.cryptomator.cryptofs.CryptoFileSystemProperties;
-import org.cryptomator.cryptofs.CryptoFileSystemProvider;
-import org.cryptomator.cryptolib.api.Masterkey;
-import org.cryptomator.cryptolib.api.CryptorProvider;
-import org.cryptomator.cryptolib.api.CryptoException;
-import org.cryptomator.cryptolib.api.MasterkeyLoader;
-
-import static org.cryptomator.common.Constants.DEFAULT_KEY_ID;
-
-public final class CryptoFsInitializer {
-
-	private CryptoFsInitializer() {}
-
-	public static void init(Path recoveryPath,
-							Masterkey masterkey,
-							int shorteningThreshold,
-							CryptorProvider.Scheme scheme) throws IOException, CryptoException {
-
-		MasterkeyLoader loader = ignored -> masterkey.copy();
-		CryptoFileSystemProperties fsProps = CryptoFileSystemProperties //
-				.cryptoFileSystemProperties() //
-				.withCipherCombo(scheme) //
-				.withKeyLoader(loader) //
-				.withShorteningThreshold(shorteningThreshold) //
-				.build();
-		CryptoFileSystemProvider.initialize(recoveryPath, fsProps, DEFAULT_KEY_ID);
-	}
-}

src/main/java/org/cryptomator/common/recovery/MasterkeyService.java

@@ -1,102 +0,0 @@
-package org.cryptomator.common.recovery;
-
-import org.cryptomator.common.vaults.Vault;
-import org.cryptomator.cryptolib.api.CryptoException;
-import org.cryptomator.cryptolib.api.Cryptor;
-import org.cryptomator.cryptolib.api.CryptorProvider;
-import org.cryptomator.cryptolib.api.Masterkey;
-import org.cryptomator.cryptolib.common.MasterkeyFileAccess;
-import org.cryptomator.ui.recoverykey.RecoveryKeyFactory;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import java.io.IOException;
-import java.nio.ByteBuffer;
-import java.nio.channels.FileChannel;
-import java.nio.file.Files;
-import java.nio.file.Path;
-import java.nio.file.StandardOpenOption;
-import java.security.NoSuchAlgorithmException;
-import java.security.SecureRandom;
-import java.util.Arrays;
-import java.util.NoSuchElementException;
-import java.util.Optional;
-import java.util.UUID;
-import java.util.stream.Stream;
-
-import static org.cryptomator.common.Constants.MASTERKEY_FILENAME;
-import static org.cryptomator.cryptofs.common.Constants.DATA_DIR_NAME;
-
-public final class MasterkeyService {
-
-	private static final Logger LOG = LoggerFactory.getLogger(MasterkeyService.class);
-
-	private MasterkeyService() {}
-
-	public static void recoverFromRecoveryKey(String recoveryKey, RecoveryKeyFactory recoveryKeyFactory, Path recoveryPath, CharSequence newPassword) throws IOException {
-		recoveryKeyFactory.newMasterkeyFileWithPassphrase(recoveryPath, recoveryKey, newPassword);
-	}
-
-	public static Masterkey load(MasterkeyFileAccess masterkeyFileAccess, Path masterkeyFilePath, CharSequence password) throws IOException {
-		return masterkeyFileAccess.load(masterkeyFilePath, password);
-	}
-
-	public static CryptorProvider.Scheme validateRecoveryKeyAndDetectCombo(RecoveryKeyFactory recoveryKeyFactory, //
-																		   Vault vault, String recoveryKey, //
-																		   MasterkeyFileAccess masterkeyFileAccess) throws IOException, CryptoException, NoSuchElementException {
-		String tmpPass = UUID.randomUUID().toString();
-		try (RecoveryDirectory recoveryDirectory = RecoveryDirectory.create(vault.getPath())) {
-			Path tempRecoveryPath = recoveryDirectory.getRecoveryPath();
-			recoverFromRecoveryKey(recoveryKey, recoveryKeyFactory, tempRecoveryPath, tmpPass);
-			Path masterkeyFilePath = tempRecoveryPath.resolve(MASTERKEY_FILENAME);
-
-			try (Masterkey mk = load(masterkeyFileAccess, masterkeyFilePath, tmpPass)) {
-				return detect(mk, vault.getPath()).orElseThrow();
-			}
-		}
-	}
-
-	public static Optional<CryptorProvider.Scheme> detect(Masterkey masterkey, Path vaultPath) {
-		try (Stream<Path> paths = Files.walk(vaultPath.resolve(DATA_DIR_NAME))) {
-			Optional<Path> c9rFile = paths //
-					.filter(p -> p.toString().endsWith(".c9r")) //
-					.filter(p -> !p.endsWith("dir.c9r")) //
-					.filter(Files::isRegularFile) //
-					.findFirst();
-			if (c9rFile.isEmpty()) {
-				LOG.info("Unable to detect Crypto scheme: No *.c9r file found in {}", vaultPath);
-				return Optional.empty();
-			}
-			return determineScheme(c9rFile.get(), masterkey);
-		} catch (IOException e) {
-			LOG.info("Unable to detect Crypto scheme: Failed to inspect vault", e);
-			return Optional.empty();
-		}
-	}
-
-	private static Optional<CryptorProvider.Scheme> determineScheme(Path c9rFile, Masterkey masterkey) {
-		return Arrays.stream(CryptorProvider.Scheme.values()).filter(scheme -> {
-			try (Cryptor cryptor = CryptorProvider.forScheme(scheme).provide(masterkey.copy(), SecureRandom.getInstanceStrong())) {
-				int headerSize = cryptor.fileHeaderCryptor().headerSize();
-
-				ByteBuffer headerBuf = ByteBuffer.allocate(headerSize);
-
-				try (FileChannel channel = FileChannel.open(c9rFile, StandardOpenOption.READ)) {
-					channel.read(headerBuf, 0);
-				}
-
-				headerBuf.flip();
-				cryptor.fileHeaderCryptor().decryptHeader(headerBuf.duplicate());
-				LOG.debug("Detected Crypto scheme: {}", scheme);
-				return true;
-			} catch (IllegalArgumentException | CryptoException e) {
-				LOG.debug("Could not decrypt with scheme: {}", scheme);
-				return false;
-			} catch (IOException | NoSuchAlgorithmException e) {
-				LOG.warn("Unable to detect Crypto scheme: Failed to decrypt .c9r file", e);
-				return false;
-			}
-		}).findFirst();
-	}
-
-}

src/main/java/org/cryptomator/common/recovery/RecoveryActionType.java

@@ -1,10 +0,0 @@
-package org.cryptomator.common.recovery;
-
-public enum RecoveryActionType {
-	RESTORE_ALL,
-	RESTORE_MASTERKEY,
-	RESTORE_VAULT_CONFIG,
-	RESET_PASSWORD,
-	SHOW_KEY,
-	CONVERT_VAULT
-}

src/main/java/org/cryptomator/common/recovery/RecoveryDirectory.java

@@ -1,56 +0,0 @@
-package org.cryptomator.common.recovery;
-
-import java.io.IOException;
-import java.nio.file.Files;
-import java.nio.file.Path;
-import java.nio.file.StandardCopyOption;
-import java.util.Comparator;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-public final class RecoveryDirectory implements AutoCloseable {
-
-	private static final Logger LOG = LoggerFactory.getLogger(RecoveryDirectory.class);
-
-	private final Path recoveryPath;
-	private final Path vaultPath;
-
-	private RecoveryDirectory(Path vaultPath, Path recoveryPath) {
-		this.vaultPath = vaultPath;
-		this.recoveryPath = recoveryPath;
-	}
-
-	public static RecoveryDirectory create(Path vaultPath) throws IOException {
-		Path tempDir = Files.createTempDirectory("cryptomator");
-		return new RecoveryDirectory(vaultPath, tempDir);
-	}
-
-	public void moveRecoveredFile(String file) throws IOException {
-		Files.move(recoveryPath.resolve(file), vaultPath.resolve(file), StandardCopyOption.REPLACE_EXISTING);
-	}
-
-	private void deleteRecoveryDirectory() {
-		try (var paths = Files.walk(recoveryPath)) {
-			paths.sorted(Comparator.reverseOrder()).forEach(p -> {
-				try {
-					Files.delete(p);
-				} catch (IOException e) {
-					LOG.info("Unable to delete {}. Please delete it manually.", p);
-				}
-			});
-		} catch (IOException e) {
-			LOG.error("Failed to clean up recovery directory", e);
-		}
-	}
-
-	@Override
-	public void close() {
-		deleteRecoveryDirectory();
-	}
-
-	public Path getRecoveryPath() {
-		return recoveryPath;
-	}
-
-}

src/main/java/org/cryptomator/common/recovery/VaultPreparator.java

@@ -1,54 +0,0 @@
-package org.cryptomator.common.recovery;
-
-import org.apache.commons.lang3.SystemUtils;
-import org.cryptomator.common.settings.VaultSettings;
-import org.cryptomator.common.vaults.Vault;
-import org.cryptomator.common.vaults.VaultComponent;
-import org.cryptomator.common.vaults.VaultConfigCache;
-import org.cryptomator.common.vaults.VaultListManager;
-import org.cryptomator.integrations.mount.MountService;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import java.io.IOException;
-import java.nio.file.Path;
-import java.util.List;
-import java.util.ResourceBundle;
-
-import static org.cryptomator.common.vaults.VaultState.Value.LOCKED;
-
-public final class VaultPreparator {
-
-	private static final Logger LOG = LoggerFactory.getLogger(VaultPreparator.class);
-
-	private VaultPreparator() {}
-
-	public static Vault prepareVault(Path selectedDirectory, //
-									 VaultComponent.Factory vaultComponentFactory, //
-									 List<MountService> mountServices, //
-									 ResourceBundle resourceBundle) {
-		VaultSettings vaultSettings = VaultSettings.withRandomId();
-		vaultSettings.path.set(selectedDirectory);
-		if (selectedDirectory.getFileName() != null) {
-			vaultSettings.displayName.set(selectedDirectory.getFileName().toString());
-		} else {
-			vaultSettings.displayName.set(resourceBundle.getString("defaults.vault.vaultName"));
-		}
-
-		var wrapper = new VaultConfigCache(vaultSettings);
-		Vault vault = vaultComponentFactory.create(vaultSettings, wrapper, LOCKED, null).vault();
-		try {
-			VaultListManager.determineVaultState(vault.getPath());
-		} catch (IOException e) {
-			LOG.warn("Failed to determine vault state for {}", vaultSettings.path.get(), e);
-		}
-
-		//due to https://github.com/cryptomator/cryptomator/issues/2880#issuecomment-1680313498
-		var nameOfWinfspLocalMounter = "org.cryptomator.frontend.fuse.mount.WinFspMountProvider";
-		if (SystemUtils.IS_OS_WINDOWS && vaultSettings.path.get().toString().contains("Dropbox") && mountServices.stream().anyMatch(s -> s.getClass().getName().equals(nameOfWinfspLocalMounter))) {
-			vaultSettings.mountService.setValue(nameOfWinfspLocalMounter);
-		}
-
-		return vault;
-	}
-}

src/main/java/org/cryptomator/common/settings/Settings.java

@@ -24,12 +24,9 @@ import javafx.beans.property.SimpleStringProperty;
 import javafx.beans.property.StringProperty;
 import javafx.collections.FXCollections;
 import javafx.collections.ObservableList;
-import javafx.collections.ObservableSet;
 import javafx.geometry.NodeOrientation;
-import java.nio.file.Path;
 import java.time.Instant;
-import java.util.HashSet;
-import java.util.Set;
+import java.util.function.Consumer;
 
 public class Settings {
 
@@ -54,7 +51,6 @@ public class Settings {
 	static final String DEFAULT_USER_INTERFACE_ORIENTATION = NodeOrientation.LEFT_TO_RIGHT.name();
 	public static final Instant DEFAULT_TIMESTAMP = Instant.parse("2000-01-01T00:00:00Z");
 
-	private final SettingsProvider provider;
 	public final ObservableList<VaultSettings> directories;
 	public final BooleanProperty startHidden;
 	public final BooleanProperty autoCloseVaults;
@@ -79,14 +75,13 @@ public class Settings {
 	public final BooleanProperty checkForUpdates;
 	public final ObjectProperty<Instant> lastUpdateCheckReminder;
 	public final ObjectProperty<Instant> lastSuccessfulUpdateCheck;
-	public final ObjectProperty<Path> previouslyUsedVaultDirectory;
-	public final StringProperty lastUpdateAttemptedByVersion;
-	public final ObservableSet<String> trustedHosts;
 
-	public static Settings create(SettingsProvider provider, Environment env) {
+	private Consumer<Settings> saveCmd;
+
+	public static Settings create(Environment env) {
 		var defaults = new SettingsJson();
 		defaults.showTrayIcon = env.showTrayIcon();
-		return new Settings(provider, defaults);
+		return new Settings(defaults);
 	}
 
 	/**
@@ -94,8 +89,7 @@ public class Settings {
 	 *
 	 * @param json The parsed settings.json
 	 */
-	Settings(SettingsProvider provider, SettingsJson json) {
-		this.provider = provider;
+	Settings(SettingsJson json) {
 		this.directories = FXCollections.observableArrayList(VaultSettings::observables);
 		this.startHidden = new SimpleBooleanProperty(this, "startHidden", json.startHidden);
 		this.autoCloseVaults = new SimpleBooleanProperty(this, "autoCloseVaults", json.autoCloseVaults);
@@ -120,9 +114,6 @@ public class Settings {
 		this.checkForUpdates = new SimpleBooleanProperty(this, "checkForUpdates", json.checkForUpdatesEnabled);
 		this.lastUpdateCheckReminder = new SimpleObjectProperty<>(this, "lastUpdateCheckReminder", json.lastReminderForUpdateCheck);
 		this.lastSuccessfulUpdateCheck = new SimpleObjectProperty<>(this, "lastSuccessfulUpdateCheck", json.lastSuccessfulUpdateCheck);
-		this.previouslyUsedVaultDirectory = new SimpleObjectProperty<>(this, "previouslyUsedVaultDirectory", json.previouslyUsedVaultDirectory);
-		this.lastUpdateAttemptedByVersion = new SimpleStringProperty(this, "lastUpdateAttemptedByVersion", json.lastUpdateAttemptedByVersion);
-		this.trustedHosts = FXCollections.observableSet(json.trustedHosts);
 
 		this.directories.addAll(json.directories.stream().map(VaultSettings::new).toList());
 
@@ -152,13 +143,15 @@ public class Settings {
 		checkForUpdates.addListener(this::somethingChanged);
 		lastUpdateCheckReminder.addListener(this::somethingChanged);
 		lastSuccessfulUpdateCheck.addListener(this::somethingChanged);
-		previouslyUsedVaultDirectory.addListener(this::somethingChanged);
-		lastUpdateAttemptedByVersion.addListener(this::somethingChanged);
-		trustedHosts.addListener(this::somethingChanged);
 	}
 
 	@SuppressWarnings("deprecation")
 	private void migrateLegacySettings(SettingsJson json) {
+		// migrate renamed keychainAccess
+		if(this.keychainProvider.getValueSafe().equals("org.cryptomator.linux.keychain.SecretServiceKeychainAccess")) {
+			this.keychainProvider.setValue("org.cryptomator.linux.keychain.GnomeKeyringKeychainAccess");
+		}
+
 		// implicit migration of 1.6.x legacy setting "preferredVolumeImpl":
 		if (this.mountService.get() == null && json.preferredVolumeImpl != null) {
 			this.mountService.set(switch (json.preferredVolumeImpl) {
@@ -211,9 +204,6 @@ public class Settings {
 		json.checkForUpdatesEnabled = checkForUpdates.get();
 		json.lastReminderForUpdateCheck = lastUpdateCheckReminder.get();
 		json.lastSuccessfulUpdateCheck = lastSuccessfulUpdateCheck.get();
-		json.previouslyUsedVaultDirectory = previouslyUsedVaultDirectory.get();
-		json.lastUpdateAttemptedByVersion = lastUpdateAttemptedByVersion.get();
-		json.trustedHosts = Set.copyOf(trustedHosts);
 		return json;
 	}
 
@@ -226,12 +216,20 @@ public class Settings {
 		}
 	}
 
-	private void somethingChanged(@SuppressWarnings("unused") Observable observable) {
-		provider.scheduleSave(this);
+
+	// TODO rename to setChangeListener
+	void setSaveCmd(Consumer<Settings> saveCmd) {
+		this.saveCmd = saveCmd;
 	}
 
-	public void saveNow() {
-		provider.saveNow(this);
+	private void somethingChanged(@SuppressWarnings("unused") Observable observable) {
+		this.save();
+	}
+
+	void save() {
+		if (saveCmd != null) {
+			saveCmd.accept(this);
+		}
 	}
 
 }

src/main/java/org/cryptomator/common/settings/SettingsJson.java

@@ -4,23 +4,16 @@ import com.fasterxml.jackson.annotation.JsonFormat;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonInclude;
 import com.fasterxml.jackson.annotation.JsonProperty;
-import com.fasterxml.jackson.annotation.JsonSetter;
-import com.fasterxml.jackson.annotation.Nulls;
 
-import java.nio.file.Path;
 import java.time.Instant;
-import java.util.ArrayList;
-import java.util.HashSet;
 import java.util.List;
-import java.util.Set;
 
 @JsonIgnoreProperties(ignoreUnknown = true)
 @JsonInclude(JsonInclude.Include.NON_NULL)
 class SettingsJson {
 
 	@JsonProperty("directories")
-	@JsonSetter(nulls = Nulls.AS_EMPTY)
-	List<VaultSettingsJson> directories = new ArrayList<>();
+	List<VaultSettingsJson> directories = List.of();
 
 	@JsonProperty("writtenByVersion")
 	String writtenByVersion;
@@ -99,14 +92,4 @@ class SettingsJson {
 
 	@JsonProperty("quickAccessService")
 	String quickAccessService = Settings.DEFAULT_QUICKACCESS_SERVICE;
-
-	@JsonProperty("previouslyUsedVaultDirectory")
-	Path previouslyUsedVaultDirectory;
-
-	@JsonProperty("lastUpdateAttemptedByVersion")
-	String lastUpdateAttemptedByVersion;
-
-	@JsonProperty("trustedHosts")
-	@JsonSetter(nulls = Nulls.AS_EMPTY)
-	Set<String> trustedHosts = new HashSet<>();
 }

src/main/java/org/cryptomator/common/settings/SettingsProvider.java

@@ -26,9 +26,7 @@ import java.nio.file.NoSuchFileException;
 import java.nio.file.Path;
 import java.nio.file.StandardCopyOption;
 import java.nio.file.StandardOpenOption;
-import java.util.concurrent.CompletableFuture;
-import java.util.concurrent.ExecutionException;
-import java.util.concurrent.Future;
+import java.util.Optional;
 import java.util.concurrent.ScheduledExecutorService;
 import java.util.concurrent.ScheduledFuture;
 import java.util.concurrent.TimeUnit;
@@ -63,7 +61,8 @@ public class SettingsProvider implements Supplier<Settings> {
 		Settings settings = env.getSettingsPath() //
 				.flatMap(this::tryLoad) //
 				.findFirst() //
-				.orElseGet(() -> Settings.create(this, env));
+				.orElseGet(() -> Settings.create(env));
+		settings.setSaveCmd(this::scheduleSave);
 		return settings;
 	}
 
@@ -72,7 +71,7 @@ public class SettingsProvider implements Supplier<Settings> {
 		try (InputStream in = Files.newInputStream(path, StandardOpenOption.READ)) {
 			var json = JSON.reader().readValue(in, SettingsJson.class);
 			LOG.info("Settings loaded from {}", path);
-			var settings = new Settings(this, json);
+			var settings = new Settings(json);
 			return Stream.of(settings);
 		} catch (JacksonException e) {
 			LOG.warn("Failed to parse json file {}", path, e);
@@ -85,33 +84,19 @@ public class SettingsProvider implements Supplier<Settings> {
 		}
 	}
 
-	void saveNow(Settings settings) {
-		try {
-			scheduleSave(settings, 0L).get();
-		} catch (InterruptedException e) {
-			Thread.currentThread().interrupt();
-			LOG.error("Saving settings was interrupted.", e);
-		} catch (ExecutionException e) {
-			LOG.error("Unexpected exception while saving.", e);
-		}
-	}
-
-	void scheduleSave(Settings settings) {
-		scheduleSave(settings, SAVE_DELAY_MS);
-	}
-
-	private Future<?> scheduleSave(Settings settings, long delayMillis) {
+	private void scheduleSave(Settings settings) {
 		if (settings == null) {
-			return CompletableFuture.completedFuture(null);
+			return;
 		}
-		final Path settingsPath = env.getSettingsPath().findFirst().orElseThrow(); // always save to preferred (first) path
-		Runnable saveCommand = () -> this.save(settings, settingsPath);
-		ScheduledFuture<?> scheduledTask = scheduler.schedule(saveCommand, delayMillis, TimeUnit.MILLISECONDS);
-		ScheduledFuture<?> previouslyScheduledTask = scheduledSaveCmd.getAndSet(scheduledTask);
-		if (previouslyScheduledTask != null) {
-			previouslyScheduledTask.cancel(false);
-		}
-		return scheduledTask;
+		final Optional<Path> settingsPath = env.getSettingsPath().findFirst(); // always save to preferred (first) path
+		settingsPath.ifPresent(path -> {
+			Runnable saveCommand = () -> this.save(settings, path);
+			ScheduledFuture<?> scheduledTask = scheduler.schedule(saveCommand, SAVE_DELAY_MS, TimeUnit.MILLISECONDS);
+			ScheduledFuture<?> previouslyScheduledTask = scheduledSaveCmd.getAndSet(scheduledTask);
+			if (previouslyScheduledTask != null) {
+				previouslyScheduledTask.cancel(false);
+			}
+		});
 	}
 
 	private void save(Settings settings, Path settingsPath) {
@@ -122,7 +107,7 @@ public class SettingsProvider implements Supplier<Settings> {
 			Path tmpPath = settingsPath.resolveSibling(settingsPath.getFileName().toString() + ".tmp");
 			try (OutputStream out = Files.newOutputStream(tmpPath, StandardOpenOption.CREATE, StandardOpenOption.TRUNCATE_EXISTING, StandardOpenOption.WRITE)) {
 				var jsonObj = settings.serialized();
-				jsonObj.writtenByVersion = env.getAppVersionWithBuildNumber();
+				jsonObj.writtenByVersion = env.getAppVersion() + env.getBuildNumber().map("-"::concat).orElse("");
 				JSON.writerWithDefaultPrettyPrinter().writeValue(out, jsonObj);
 			}
 			Files.move(tmpPath, settingsPath, StandardCopyOption.REPLACE_EXISTING);

src/main/java/org/cryptomator/common/settings/UiTheme.java

@@ -10,6 +10,14 @@ public enum UiTheme {
 	DARK("preferences.interface.theme.dark"), //
 	AUTOMATIC("preferences.interface.theme.automatic");
 
+	public static UiTheme[] applicableValues() {
+		if (SystemUtils.IS_OS_MAC || SystemUtils.IS_OS_WINDOWS) {
+			return values();
+		} else {
+			return new UiTheme[]{LIGHT, DARK};
+		}
+	}
+
 	private final String displayName;
 
 	UiTheme(String displayName) {

src/main/java/org/cryptomator/common/vaults/Vault.java

@@ -10,7 +10,7 @@ package org.cryptomator.common.vaults;
 
 import org.apache.commons.lang3.SystemUtils;
 import org.cryptomator.common.Constants;
-import org.cryptomator.common.FilesystemOwnerSupplier;
+import org.cryptomator.event.FileSystemEventAggregator;
 import org.cryptomator.common.mount.Mounter;
 import org.cryptomator.common.settings.Settings;
 import org.cryptomator.common.settings.VaultSettings;
@@ -23,8 +23,7 @@ import org.cryptomator.cryptofs.event.FilesystemEvent;
 import org.cryptomator.cryptolib.api.CryptoException;
 import org.cryptomator.cryptolib.api.MasterkeyLoader;
 import org.cryptomator.cryptolib.api.MasterkeyLoadingFailedException;
-import org.cryptomator.event.FileSystemEventAggregator;
-import org.cryptomator.event.NotificationManager;
+import org.cryptomator.event.VaultEvent;
 import org.cryptomator.integrations.mount.MountFailedException;
 import org.cryptomator.integrations.mount.Mountpoint;
 import org.cryptomator.integrations.mount.UnmountFailedException;
@@ -36,6 +35,7 @@ import org.slf4j.LoggerFactory;
 
 import javax.inject.Inject;
 import javax.inject.Named;
+import javafx.application.Platform;
 import javafx.beans.Observable;
 import javafx.beans.binding.Bindings;
 import javafx.beans.binding.BooleanBinding;
@@ -75,12 +75,10 @@ public class Vault {
 	private final BooleanBinding missing;
 	private final BooleanBinding needsMigration;
 	private final BooleanBinding unknownError;
-	private final BooleanBinding missingVaultConfig;
 	private final ObjectBinding<Mountpoint> mountPoint;
 	private final Mounter mounter;
 	private final Settings settings;
 	private final FileSystemEventAggregator fileSystemEventAggregator;
-	private final NotificationManager notificationManager;
 	private final BooleanProperty showingStats;
 
 	private final AtomicReference<Mounter.MountHandle> mountHandle = new AtomicReference<>(null);
@@ -93,8 +91,7 @@ public class Vault {
 		  @Named("lastKnownException") ObjectProperty<Exception> lastKnownException, //
 		  VaultStats stats, //
 		  Mounter mounter, Settings settings, //
-		  FileSystemEventAggregator fileSystemEventAggregator, //
-		  NotificationManager notificationManager) {
+		  FileSystemEventAggregator fileSystemEventAggregator) {
 		this.vaultSettings = vaultSettings;
 		this.configCache = configCache;
 		this.cryptoFileSystem = cryptoFileSystem;
@@ -106,14 +103,12 @@ public class Vault {
 		this.processing = Bindings.createBooleanBinding(this::isProcessing, state);
 		this.unlocked = Bindings.createBooleanBinding(this::isUnlocked, state);
 		this.missing = Bindings.createBooleanBinding(this::isMissing, state);
-		this.missingVaultConfig = Bindings.createBooleanBinding(this::isMissingVaultConfig, state);
 		this.needsMigration = Bindings.createBooleanBinding(this::isNeedsMigration, state);
 		this.unknownError = Bindings.createBooleanBinding(this::isUnknownError, state);
 		this.mountPoint = Bindings.createObjectBinding(this::getMountPoint, state);
 		this.mounter = mounter;
 		this.settings = settings;
 		this.fileSystemEventAggregator = fileSystemEventAggregator;
-		this.notificationManager = notificationManager;
 		this.showingStats = new SimpleBooleanProperty(false);
 		this.quickAccessEntry = new AtomicReference<>(null);
 	}
@@ -150,17 +145,14 @@ public class Vault {
 			LOG.warn("Limiting cleartext filename length on this device to {}.", vaultSettings.maxCleartextFilenameLength.get());
 		}
 
-		var fsPropsBuilder = CryptoFileSystemProperties.cryptoFileSystemProperties() //
+		CryptoFileSystemProperties fsProps = CryptoFileSystemProperties.cryptoFileSystemProperties() //
 				.withKeyLoader(keyLoader) //
 				.withFlags(flags) //
 				.withMaxCleartextNameLength(vaultSettings.maxCleartextFilenameLength.get()) //
 				.withVaultConfigFilename(Constants.VAULTCONFIG_FILENAME) //
-				.withFilesystemEventConsumer(this::consumeVaultEvent);
-		if (keyLoader instanceof FilesystemOwnerSupplier oo) {
-			fsPropsBuilder.withOwnerGetter(oo::getOwner);
-		}
-
-		return CryptoFileSystemProvider.newFileSystem(getPath(), fsPropsBuilder.build());
+				.withFilesystemEventConsumer(this::consumeVaultEvent) //
+				.build();
+		return CryptoFileSystemProvider.newFileSystem(getPath(), fsProps);
 	}
 
 	private void destroyCryptoFileSystem() {
@@ -270,7 +262,6 @@ public class Vault {
 
 	private void consumeVaultEvent(FilesystemEvent e) {
 		fileSystemEventAggregator.put(this, e);
-		notificationManager.offer(this, e);
 	}
 
 	// ******************************************************************************
@@ -345,14 +336,6 @@ public class Vault {
 		return state.get() == VaultState.Value.ERROR;
 	}
 
-	public BooleanBinding missingVaultConfigProperty() {
-		return missingVaultConfig;
-	}
-
-	public boolean isMissingVaultConfig() {
-		return state.get() == VaultState.Value.VAULT_CONFIG_MISSING || state.get() == VaultState.Value.ALL_MISSING;
-	}
-
 	public ReadOnlyStringProperty displayNameProperty() {
 		return vaultSettings.displayName;
 	}

src/main/java/org/cryptomator/common/vaults/VaultConfigCache.java

@@ -20,7 +20,7 @@ public class VaultConfigCache {
 	private final VaultSettings settings;
 	private final AtomicReference<VaultConfig.UnverifiedVaultConfig> config;
 
-	public VaultConfigCache(VaultSettings settings) {
+	VaultConfigCache(VaultSettings settings) {
 		this.settings = settings;
 		this.config = new AtomicReference<>(null);
 	}

src/main/java/org/cryptomator/common/vaults/VaultListManager.java

@@ -9,14 +9,13 @@
 package org.cryptomator.common.vaults;
 
 import org.apache.commons.lang3.SystemUtils;
-import org.cryptomator.common.recovery.BackupRestorer;
+import org.cryptomator.common.Constants;
 import org.cryptomator.common.settings.Settings;
 import org.cryptomator.common.settings.VaultSettings;
 import org.cryptomator.cryptofs.CryptoFileSystemProvider;
 import org.cryptomator.cryptofs.DirStructure;
 import org.cryptomator.cryptofs.migration.Migrators;
 import org.cryptomator.integrations.mount.MountService;
-import org.cryptomator.ui.keyloading.masterkeyfile.MasterkeyFileLoadingStrategy;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -35,7 +34,9 @@ import java.util.ResourceBundle;
 
 import static org.cryptomator.common.Constants.MASTERKEY_FILENAME;
 import static org.cryptomator.common.Constants.VAULTCONFIG_FILENAME;
-import static org.cryptomator.common.vaults.VaultState.Value.*;
+import static org.cryptomator.common.vaults.VaultState.Value.ERROR;
+import static org.cryptomator.common.vaults.VaultState.Value.LOCKED;
+import static org.cryptomator.common.vaults.VaultState.Value.NEEDS_MIGRATION;
 
 @Singleton
 public class VaultListManager {
@@ -66,12 +67,6 @@ public class VaultListManager {
 		autoLocker.init();
 	}
 
-	public boolean isAlreadyAdded(Path vaultPath) {
-		assert vaultPath.isAbsolute();
-		assert vaultPath.normalize().equals(vaultPath);
-		return vaultList.stream().anyMatch(v -> vaultPath.equals(v.getPath()));
-	}
-
 	public Vault add(Path pathToVault) throws IOException {
 		Path normalizedPathToVault = pathToVault.normalize().toAbsolutePath();
 		if (CryptoFileSystemProvider.checkDirStructureForVault(normalizedPathToVault, VAULTCONFIG_FILENAME, MASTERKEY_FILENAME) == DirStructure.UNRELATED) {
@@ -119,122 +114,59 @@ public class VaultListManager {
 				.findAny();
 	}
 
-	public void addVault(Vault vault) {
-		Path path = vault.getPath().normalize().toAbsolutePath();
-		if (!isAlreadyAdded(path)) {
-			vaultList.add(vault);
-		}
-	}
-
 	private Vault create(VaultSettings vaultSettings) {
 		var wrapper = new VaultConfigCache(vaultSettings);
 		try {
 			var vaultState = determineVaultState(vaultSettings.path.get());
-			initializeLastKnownKeyLoaderIfPossible(vaultSettings, vaultState, wrapper);
-
+			if (vaultState == LOCKED) { //for legacy reasons: pre v8 vault do not have a config, but they are in the NEEDS_MIGRATION state
+				wrapper.reloadConfig();
+				if (Objects.isNull(vaultSettings.lastKnownKeyLoader.get())) {
+					var keyIdScheme = wrapper.get().getKeyId().getScheme();
+					vaultSettings.lastKnownKeyLoader.set(keyIdScheme);
+				}
+			} else if (vaultState == NEEDS_MIGRATION) {
+				vaultSettings.lastKnownKeyLoader.set(Constants.DEFAULT_KEY_ID.toString());
+			}
 			return vaultComponentFactory.create(vaultSettings, wrapper, vaultState, null).vault();
 		} catch (IOException e) {
-			LOG.warn("Failed to determine vault state for {}", vaultSettings.path.get(), e);
+			LOG.warn("Failed to determine vault state for " + vaultSettings.path.get(), e);
 			return vaultComponentFactory.create(vaultSettings, wrapper, ERROR, e).vault();
 		}
 	}
 
-	private void initializeLastKnownKeyLoaderIfPossible(VaultSettings vaultSettings, VaultState.Value vaultState, VaultConfigCache wrapper) throws IOException {
-		if (vaultSettings.lastKnownKeyLoader.get() != null) {
-			return;
-		}
-
-		switch (vaultState) {
-			case LOCKED -> {
-				wrapper.reloadConfig();
-				vaultSettings.lastKnownKeyLoader.set(wrapper.get().getKeyId().getScheme());
-			}
-			case NEEDS_MIGRATION -> {
-				//for legacy reasons: pre v8 vault do not have a config, but they are in the NEEDS_MIGRATION state
-				vaultSettings.lastKnownKeyLoader.set(MasterkeyFileLoadingStrategy.SCHEME);
-			}
-			case VAULT_CONFIG_MISSING ->  {
-				//Nothing to do here, since there is no config to read
-			}
-			case MISSING, ALL_MISSING, ERROR, PROCESSING -> {
-				// no config available or not safe to load
-			}
-			default -> {
-				if (Files.exists(vaultSettings.path.get().resolve(VAULTCONFIG_FILENAME))) {
-					try {
-						wrapper.reloadConfig();
-						vaultSettings.lastKnownKeyLoader.set(wrapper.get().getKeyId().getScheme());
-					} catch (IOException e) {
-						LOG.debug("Unable to load config for {}", vaultSettings.path.get(), e);
-					}
-				}
-			}
-		}
-	}
-
 	public static VaultState.Value redetermineVaultState(Vault vault) {
 		VaultState state = vault.stateProperty();
-		VaultState.Value previous = state.getValue();
-
-		if (previous.equals(UNLOCKED) || previous.equals(PROCESSING)) {
-			return previous;
-		}
-
-		try {
-			VaultState.Value determined = determineVaultState(vault.getPath());
-
-			if (determined == LOCKED) {
-				vault.getVaultConfigCache().reloadConfig();
+		VaultState.Value previousState = state.getValue();
+		return switch (previousState) {
+			case LOCKED, NEEDS_MIGRATION, MISSING -> {
+				try {
+					var determinedState = determineVaultState(vault.getPath());
+					if (determinedState == LOCKED) {
+						vault.getVaultConfigCache().reloadConfig();
+					}
+					state.set(determinedState);
+					yield determinedState;
+				} catch (IOException e) {
+					LOG.warn("Failed to determine vault state for " + vault.getPath(), e);
+					state.set(ERROR);
+					vault.setLastKnownException(e);
+					yield ERROR;
+				}
 			}
-
-			state.set(determined);
-			return determined;
-		} catch (IOException e) {
-			LOG.warn("Failed to (re)determine vault state for {}", vault.getPath(), e);
-			vault.setLastKnownException(e);
-			state.set(ERROR);
-			return ERROR;
-		}
+			case ERROR, UNLOCKED, PROCESSING -> previousState;
+		};
 	}
 
-	public static VaultState.Value determineVaultState(Path pathToVault) throws IOException {
+	private static VaultState.Value determineVaultState(Path pathToVault) throws IOException {
 		if (!Files.exists(pathToVault)) {
-			return MISSING;
+			return VaultState.Value.MISSING;
 		}
-
-		VaultState.Value structureResult = checkDirStructure(pathToVault);
-
-		if (structureResult == LOCKED || structureResult == NEEDS_MIGRATION) {
-			return structureResult;
-		}
-
-		Path pathToVaultConfig = pathToVault.resolve(VAULTCONFIG_FILENAME);
-		Path pathToMasterkey = pathToVault.resolve(MASTERKEY_FILENAME);
-
-		if (!Files.exists(pathToVaultConfig)) {
-			BackupRestorer.restoreIfBackupPresent(pathToVault, VAULTCONFIG_FILENAME);
-		}
-		if (!Files.exists(pathToMasterkey)) {
-			BackupRestorer.restoreIfBackupPresent(pathToVault, MASTERKEY_FILENAME);
-		}
-
-		boolean hasConfig = Files.exists(pathToVaultConfig);
-
-		if (!hasConfig && !Files.exists(pathToMasterkey)) {
-			return ALL_MISSING;
-		}
-		if (!hasConfig) {
-			return VAULT_CONFIG_MISSING;
-		}
-
-		return checkDirStructure(pathToVault);
-	}
-
-	private static VaultState.Value checkDirStructure(Path pathToVault) throws IOException {
 		return switch (CryptoFileSystemProvider.checkDirStructureForVault(pathToVault, VAULTCONFIG_FILENAME, MASTERKEY_FILENAME)) {
-			case VAULT -> LOCKED;
-			case UNRELATED -> MISSING;
-			case MAYBE_LEGACY -> Migrators.get().needsMigration(pathToVault, VAULTCONFIG_FILENAME, MASTERKEY_FILENAME) ? NEEDS_MIGRATION : MISSING;
+			case VAULT -> VaultState.Value.LOCKED;
+			case UNRELATED -> VaultState.Value.MISSING;
+			case MAYBE_LEGACY -> Migrators.get().needsMigration(pathToVault, VAULTCONFIG_FILENAME, MASTERKEY_FILENAME) ? //
+					VaultState.Value.NEEDS_MIGRATION //
+					: VaultState.Value.MISSING;
 		};
 	}
 

src/main/java/org/cryptomator/common/vaults/VaultState.java

@@ -25,16 +25,6 @@ public class VaultState extends ObservableValueBase<VaultState.Value> implements
 		 */
 		MISSING,
 
-		/**
-		 * No vault config found at the provided path
-		 */
-		VAULT_CONFIG_MISSING,
-
-		/**
-		 * No vault config and masterkey found at the provided path
-		 */
-		ALL_MISSING,
-
 		/**
 		 * Vault requires migration to a newer vault format
 		 */

src/main/java/org/cryptomator/event/FileSystemEventAggregator.java

@@ -6,7 +6,6 @@ import org.cryptomator.cryptofs.event.BrokenFileNodeEvent;
 import org.cryptomator.cryptofs.event.ConflictResolutionFailedEvent;
 import org.cryptomator.cryptofs.event.ConflictResolvedEvent;
 import org.cryptomator.cryptofs.event.DecryptionFailedEvent;
-import org.cryptomator.cryptofs.event.FileIsInUseEvent;
 import org.cryptomator.cryptofs.event.FilesystemEvent;
 
 import javax.inject.Inject;
@@ -102,7 +101,6 @@ public class FileSystemEventAggregator {
 			case ConflictResolutionFailedEvent(_, _, Path conflictingCiphertext, _) -> conflictingCiphertext;
 			case BrokenDirFileEvent(_, Path ciphertext) -> ciphertext;
 			case BrokenFileNodeEvent(_, _, Path ciphertext) -> ciphertext;
-			case FileIsInUseEvent(_, _, Path ciphertext, _, _, _) -> ciphertext;
 		};
 		return new FSEventBucket(v, p, event.getClass());
 	}

src/main/java/org/cryptomator/event/NotificationManager.java

@@ -1,85 +0,0 @@
-package org.cryptomator.event;
-
-import com.github.benmanes.caffeine.cache.Cache;
-import com.github.benmanes.caffeine.cache.Caffeine;
-import org.cryptomator.common.vaults.Vault;
-import org.cryptomator.cryptofs.event.FileIsInUseEvent;
-import org.cryptomator.cryptofs.event.FilesystemEvent;
-
-import javax.inject.Inject;
-import javax.inject.Singleton;
-import java.nio.file.Path;
-import java.time.Duration;
-import java.util.List;
-import java.util.concurrent.ConcurrentLinkedQueue;
-import java.util.concurrent.atomic.AtomicBoolean;
-
-/**
- * Manager for notifications.
- * <p>
- * To add (filesystem) events, use method {@link #offer(Vault, FilesystemEvent)}. If the input event is eligible, it is added to an internal queue.
- * An event is eligible, if
- * <ul>
- *     <li>the event should trigger a notification and</li>
- *     <li>it is not added within the last {@value DEBOUNCE_THRESHOLD_SECONDS} seconds</li>
- * </ul>
- *
- * @see org.cryptomator.ui.fxapp.FxNotificationManager
- */
-@Singleton
-public class NotificationManager {
-
-	private static final int DEBOUNCE_THRESHOLD_SECONDS = 5;
-
-	private final Cache<FSEventBucket, FilesystemEvent> debounceCache;
-	private final ConcurrentLinkedQueue<VaultEvent> pendingEvents;
-
-	@Inject
-	public NotificationManager() {
-		debounceCache = Caffeine.newBuilder().expireAfterWrite(Duration.ofSeconds(DEBOUNCE_THRESHOLD_SECONDS)).build();
-		pendingEvents = new ConcurrentLinkedQueue<>();
-	}
-
-	/**
-	 * Offers the given filesystem event to the notification manager.
-	 *
-	 * @param v The vault where the filesystem event happened
-	 * @param e the actual filesystem event
-	 * @return {@code true} if the filesystem event is accepted, otherwise {@code false}.
-	 */
-	public boolean offer(Vault v, FilesystemEvent e) {
-		return switch (e) {
-			case FileIsInUseEvent fiiue -> addEvent(v, fiiue.ciphertextPath(), fiiue);
-			default -> false;
-		};
-	}
-
-	boolean addEvent(Vault v, Path keyPath, FilesystemEvent e) {
-		var key = new FSEventBucket(v, keyPath, e.getClass());
-		var isAdded = new AtomicBoolean(false);
-		debounceCache.asMap().computeIfAbsent(key, _ -> {
-			synchronized (this) {
-				pendingEvents.add(new VaultEvent(v, e));
-				isAdded.set(true);
-			}
-			return e;
-		});
-		return isAdded.get();
-	}
-
-	/**
-	 * Adds all events to the target list and clears afterward the pending-event-queue
-	 *
-	 * @param target list where the filesystem events are copied to
-	 * @return {@code true}, if elements were copied
-	 */
-	public boolean appendToAndClear(List<VaultEvent> target) {
-		//it is not clear, if addAll iterates thread-safe over the pendingEvents
-		//hence we synchronize moving (copy then clear) and adding-single-element operations
-		synchronized (this) {
-			var result = target.addAll(pendingEvents);
-			pendingEvents.clear();
-			return result;
-		}
-	}
-}

src/main/java/org/cryptomator/event/VaultEvent.java

@@ -3,6 +3,25 @@ package org.cryptomator.event;
 import org.cryptomator.common.vaults.Vault;
 import org.cryptomator.cryptofs.event.FilesystemEvent;
 
-public record VaultEvent(Vault v, FilesystemEvent actualEvent) {
+import java.time.Instant;
 
+public record VaultEvent(Vault v, FilesystemEvent actualEvent, int count) implements Comparable<VaultEvent> {
+
+	public VaultEvent(Vault v, FilesystemEvent actualEvent) {
+		this(v, actualEvent, 1);
+	}
+
+	@Override
+	public int compareTo(VaultEvent other) {
+		var timeResult = actualEvent.getTimestamp().compareTo(other.actualEvent().getTimestamp());
+		if(timeResult != 0) {
+			return timeResult;
+		} else {
+			return this.equals(other) ? 0 : this.actualEvent.getClass().getName().compareTo(other.actualEvent.getClass().getName());
+		}
+	}
+
+	public VaultEvent incrementCount(FilesystemEvent update) {
+		return new VaultEvent(v, update, count+1);
+	}
 }

src/main/java/org/cryptomator/ipc/Server.java

@@ -53,26 +53,18 @@ class Server implements IpcCommunicator {
 	@Override
 	public void listen(IpcMessageListener listener, Executor executor) {
 		executor.execute(() -> {
-			int errorCount = 0;
 			while (serverSocketChannel.isOpen()) {
 				try (var ch = serverSocketChannel.accept()) {
 					while (ch.isConnected()) {
 						var msg = IpcMessage.receive(ch);
 						listener.handleMessage(msg);
 					}
-					errorCount = 0;
 				} catch (AsynchronousCloseException e) {
-					LOG.info("Closing server socket due to closed channel.");
 					return; // serverSocketChannel closed or listener interrupted
 				} catch (EOFException | ClosedChannelException e) {
 					// continue with next connected client
 				} catch (IOException e) {
-					errorCount++;
 					LOG.error("Failed to read IPC message", e);
-					if(errorCount > 100) { //apparently something is broken, prevent log spam
-						LOG.info("Closing server socket due to too many failed requests.");
-						return;
-					}
 				}
 			}
 		});

src/main/java/org/cryptomator/launcher/AdminPropertiesFactory.java

@@ -1,101 +0,0 @@
-package org.cryptomator.launcher;
-
-import org.slf4j.Logger;
-
-import java.io.IOException;
-import java.io.Reader;
-import java.nio.channels.Channels;
-import java.nio.channels.FileChannel;
-import java.nio.charset.StandardCharsets;
-import java.nio.file.NoSuchFileException;
-import java.nio.file.Path;
-import java.nio.file.StandardOpenOption;
-import java.util.Properties;
-import java.util.Set;
-
-/**
- * Factory to generate admin properties.
- *
- * <p>
- * Admin properties are {@link Properties} using system properties as defaults, but allow overwriting a specific set of properties with an external config file.
- * Those properties are created by calling {@link #create()}. The method first reads system property {@value #ADMIN_PROP_FILE_KEY}. If it contains a path to a valid properties file, all overridable properties from the file are loaded into the returned admin properties.
- * <p>
- * The overridable properties are:
- * <ul>
- *     <li>cryptomator.logDir</li>
- *     <li>cryptomator.pluginDir</li>
- *     <li>cryptomator.p12Path</li>
- *     <li>cryptomator.mountPointsDir</li>
- *     <li>cryptomator.disableUpdateCheck</li>
- *     <li>cryptomator.hub.allowedHosts</li>
- *     <li>cryptomator.hub.enableTrustOnFirstUse</li>
- * </ul>
- *
- * @see Properties
- * @see System#getProperties()
- */
-class AdminPropertiesFactory {
-
-	private static final Logger LOG = EventualLogger.INSTANCE;
-	private static final long MAX_CONFIG_SIZE_BYTES = 8192;
-	private static final String ADMIN_PROP_FILE_KEY = "cryptomator.adminConfigPath";
-	private static final Set<String> ALLOWED_OVERRIDES = Set.of( //
-			"cryptomator.logDir", //
-			"cryptomator.pluginDir", //
-			"cryptomator.p12Path", //
-			"cryptomator.mountPointsDir", //
-			"cryptomator.disableUpdateCheck", //
- 			"cryptomator.hub.allowedHosts", //
-			"cryptomator.hub.enableTrustOnFirstUse");
-
-
-	/**
-	 * Creates new {@link Properties} containing overridable properties from the admin config.
-	 * <p>
-	 * The returned properties object uses as default the {@link System} properties.
-	 * For a list of overridable properties, see {@link AdminPropertiesFactory}
-	 *
-	 * @return {@link Properties} containing overridable properties from the admin config and defaulting to system properties.
-	 */
-	static Properties create() {
-		var systemProps = System.getProperties();
-		var adminProps = new Properties(systemProps);
-
-		final String adminCfgPath = System.getProperty(ADMIN_PROP_FILE_KEY);
-		if (adminCfgPath == null) {
-			LOG.debug("Admin config property is not defined. Skipping.");
-			return adminProps;
-		}
-		var propsFromFile = loadPropertiesFromFile(Path.of(adminCfgPath));
-
-		for (var key : propsFromFile.stringPropertyNames()) {
-			if (ALLOWED_OVERRIDES.contains(key)) {
-				var value = propsFromFile.getProperty(key);
-				LOG.info("Overwriting {} with value {} from admin config.", key, value);
-				adminProps.setProperty(key, value);
-			} else {
-				LOG.debug("Property {} in admin config is not supported for override.", key);
-			}
-		}
-		return adminProps;
-	}
-
-	//visible for testing
-	static Properties loadPropertiesFromFile(Path adminPropertiesPath) {
-		var adminProps = new Properties();
-		try (FileChannel ch = FileChannel.open(adminPropertiesPath, StandardOpenOption.READ); //
-			 Reader reader = Channels.newReader(ch, StandardCharsets.UTF_8)) {
-			if (ch.size() > MAX_CONFIG_SIZE_BYTES) {
-				throw new IOException("Config file %s exceeds maximum size of %d".formatted(adminPropertiesPath, MAX_CONFIG_SIZE_BYTES));
-			}
-			adminProps.load(reader);
-		} catch (NoSuchFileException _) {
-			//NO-OP
-			LOG.debug("No admin properties found at {}.", adminPropertiesPath);
-		} catch (IOException | IllegalArgumentException e) {
-			LOG.warn("Failed to read administrative properties from {}. Returning empty properties.", adminPropertiesPath, e);
-		}
-		return adminProps;
-	}
-
-}

src/main/java/org/cryptomator/launcher/Cryptomator.java

@@ -11,9 +11,9 @@ import org.apache.commons.lang3.SystemUtils;
 import org.cryptomator.common.Environment;
 import org.cryptomator.common.ShutdownHook;
 import org.cryptomator.common.SubstitutingProperties;
+import org.cryptomator.networking.SSLContextProvider;
 import org.cryptomator.ipc.IpcCommunicator;
 import org.cryptomator.logging.DebugMode;
-import org.cryptomator.networking.SSLContextProvider;
 import org.cryptomator.ui.fxapp.FxApplicationComponent;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -35,8 +35,7 @@ public class Cryptomator {
 	private static final long STARTUP_TIME = System.currentTimeMillis();
 
 	static {
-		var adminProps = AdminPropertiesFactory.create();
-		var lazyProcessedProps = new SubstitutingProperties(adminProps, System.getenv(), EventualLogger.INSTANCE);
+		var lazyProcessedProps = new SubstitutingProperties(System.getProperties(), System.getenv());
 		System.setProperties(lazyProcessedProps);
 		CRYPTOMATOR_COMPONENT = DaggerCryptomatorComponent.factory().create(STARTUP_TIME);
 		LOG = LoggerFactory.getLogger(Cryptomator.class);
@@ -90,11 +89,10 @@ public class Cryptomator {
 	 * @return Nonzero exit code in case of an error.
 	 */
 	private int run(String[] args) {
-		debugMode.initialize();
-		EventualLogger.INSTANCE.drainTo(LOG);
 		env.log();
 		LOG.debug("Dagger graph initialized after {}ms", System.currentTimeMillis() - STARTUP_TIME);
 		LOG.info("Starting Cryptomator {} on {} {} ({})", env.getAppVersion(), SystemUtils.OS_NAME, SystemUtils.OS_VERSION, SystemUtils.OS_ARCH);
+		debugMode.initialize();
 		supportedLanguages.applyPreferred();
 		changeDefaultSSLContext();
 		/*

src/main/java/org/cryptomator/launcher/CryptomatorModule.java

@@ -4,6 +4,7 @@ import dagger.Module;
 import dagger.Provides;
 import org.cryptomator.integrations.autostart.AutoStartProvider;
 import org.cryptomator.integrations.tray.TrayIntegrationProvider;
+import org.cryptomator.integrations.uiappearance.UiAppearanceProvider;
 import org.cryptomator.ui.fxapp.FxApplicationComponent;
 
 import javax.inject.Named;
@@ -29,6 +30,11 @@ class CryptomatorModule {
 		return new ArrayBlockingQueue<>(10);
 	}
 
+	@Provides
+	@Singleton
+	static Optional<UiAppearanceProvider> provideAppearanceProvider() {
+		return UiAppearanceProvider.get();
+	}
 
 	@Provides
 	@Singleton

src/main/java/org/cryptomator/launcher/EventualLogger.java

@@ -1,106 +0,0 @@
-package org.cryptomator.launcher;
-
-import org.slf4j.Logger;
-import org.slf4j.Marker;
-import org.slf4j.event.DefaultLoggingEvent;
-import org.slf4j.event.Level;
-import org.slf4j.event.LoggingEvent;
-import org.slf4j.helpers.AbstractLogger;
-
-import java.util.ArrayDeque;
-import java.util.List;
-import java.util.Objects;
-import java.util.Queue;
-
-class EventualLogger extends AbstractLogger {
-
-	static final EventualLogger INSTANCE = new EventualLogger();
-
-	private final Queue<LoggingEvent> bufferedEvents = new ArrayDeque<>();
-
-	private EventualLogger() {
-	}
-
-	synchronized void drainTo(Logger gutter) {
-		for (var event : bufferedEvents) {
-			var builder = gutter.atLevel(event.getLevel()) //
-					.setCause(event.getThrowable()) //
-					.setMessage(event.getMessage());
-			Objects.requireNonNullElse(event.getArguments(), List.of()).forEach(builder::addArgument);
-			Objects.requireNonNullElse(event.getMarkers(), List.<Marker>of()).forEach(builder::addMarker);
-			builder.log();
-		}
-		bufferedEvents.clear();
-	}
-
-	@Override
-	protected synchronized void handleNormalizedLoggingCall(Level level, Marker marker, String messagePattern, Object[] arguments, Throwable throwable) {
-		var event = new DefaultLoggingEvent(level, this);
-		if (marker != null) {
-			event.addMarker(marker);
-		}
-		event.setMessage(messagePattern);
-		for (var arg : Objects.requireNonNullElse(arguments, new Object[]{})) {
-			event.addArgument(arg);
-		}
-		event.setThrowable(throwable);
-		bufferedEvents.add(event);
-	}
-
-	//Unclear, unused and undocumented method of slf4j, see also https://github.com/qos-ch/slf4j/discussions/348
-	@Override
-	protected String getFullyQualifiedCallerName() {
-		return getClass().getCanonicalName();
-	}
-
-
-	@Override
-	public boolean isTraceEnabled() {
-		return true;
-	}
-
-	@Override
-	public boolean isTraceEnabled(Marker marker) {
-		return true;
-	}
-
-	@Override
-	public boolean isDebugEnabled() {
-		return true;
-	}
-
-	@Override
-	public boolean isDebugEnabled(Marker marker) {
-		return true;
-	}
-
-	@Override
-	public boolean isInfoEnabled() {
-		return true;
-	}
-
-	@Override
-	public boolean isInfoEnabled(Marker marker) {
-		return true;
-	}
-
-	@Override
-	public boolean isWarnEnabled() {
-		return true;
-	}
-
-	@Override
-	public boolean isWarnEnabled(Marker marker) {
-		return true;
-	}
-
-	@Override
-	public boolean isErrorEnabled() {
-		return true;
-	}
-
-	@Override
-	public boolean isErrorEnabled(Marker marker) {
-		return true;
-	}
-}

src/main/java/org/cryptomator/networking/SSLContextDifferentTrustStoreBase.java

@@ -18,7 +18,7 @@ abstract class SSLContextDifferentTrustStoreBase implements SSLContextProvider {
 	public SSLContext getContext(SecureRandom csprng) throws SSLContextBuildException {
 		try {
 			KeyStore truststore = getTruststore();
-			ensureLoaded(truststore);
+			truststore.load(null, null);
 
 			TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
 			tmf.init(truststore);
@@ -30,13 +30,4 @@ abstract class SSLContextDifferentTrustStoreBase implements SSLContextProvider {
 			throw new SSLContextBuildException(e);
 		}
 	}
-
-	static void ensureLoaded(KeyStore truststore) throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException {
-		try {
-			truststore.aliases();
-		} catch (KeyStoreException e) {
-			// Not initialized yet (e.g. custom KeyStore SPI); initialize without replacing preloaded stores.
-			truststore.load(null, null);
-		}
-	}
 }

src/main/java/org/cryptomator/networking/SSLContextWithWindowsCertStore.java

@@ -1,73 +1,21 @@
 package org.cryptomator.networking;
 
-import org.cryptomator.common.Nullable;
 import org.cryptomator.integrations.common.OperatingSystem;
-import org.jetbrains.annotations.VisibleForTesting;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 
-import java.io.IOException;
-import java.nio.file.Files;
-import java.nio.file.Path;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
-import java.security.NoSuchAlgorithmException;
-import java.security.Provider;
-import java.security.cert.CertificateException;
-import java.util.List;
-import java.util.Properties;
 
 /**
- * SSLContextProvider for Windows using the Windows certificate store as trust store and the bundled JDK cacerts as fallback
+ * SSLContextProvider for Windows using the Windows certificate store as trust store
  * <p>
  * In order to work, the jdk.crypto.mscapi jmod is needed
  */
 @OperatingSystem(OperatingSystem.Value.WINDOWS)
 public class SSLContextWithWindowsCertStore extends SSLContextDifferentTrustStoreBase implements SSLContextProvider {
 
-	private static final Logger LOG = LoggerFactory.getLogger(SSLContextWithWindowsCertStore.class);
-	private static final String DEFAULT_TRUSTSTORE_PASSWORD = "changeit"; //default JDK cacerts password
-
 	@Override
-	KeyStore getTruststore() throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException {
-		var windowsKeyStore = KeyStore.getInstance("WINDOWS-ROOT");
-		var jdkKeyStore = getShippedCaCertsStore();
-		if (jdkKeyStore == null) {
-			return windowsKeyStore;
-		}
-
-		ensureLoaded(windowsKeyStore);
-		ensureLoaded(jdkKeyStore);
-		try {
-			CombinedKeyStoreSpi spi = CombinedKeyStoreSpi.create(windowsKeyStore, jdkKeyStore);
-			Provider dummyProvider = new Provider("CombinedKeyStoreProvider", "1.0", "Provides a combined, read-only KeyStore") {};
-			return new KeyStore(spi, dummyProvider, "CombinedKeyStoreProvider") {};
-		} catch (IllegalArgumentException e) {
-			throw new KeyStoreException(e);
-		}
-	}
-
-	@Nullable
-	KeyStore getShippedCaCertsStore() {
-		return getCaCertsStoreByProperties(System.getProperties());
-	}
-
-	//for testability
-	@VisibleForTesting
-	@Nullable
-	KeyStore getCaCertsStoreByProperties(Properties props) {
-		var javaHome = Path.of(props.getProperty("java.home"));
-		var trustStorePassword = props.getProperty("javax.net.ssl.trustStorePassword", DEFAULT_TRUSTSTORE_PASSWORD).toCharArray();
-		for (var candidate : List.of(javaHome.resolve("lib/security/cacerts"), javaHome.resolve("conf/security/cacerts"))) {
-			try {
-				if (Files.isRegularFile(candidate)) {
-					return KeyStore.getInstance(candidate.toFile(), trustStorePassword);
-				}
-			} catch (CertificateException | KeyStoreException | IOException | NoSuchAlgorithmException e) {
-				LOG.info("Unable to load fallback cacerts {} file. Skipping fallback.", candidate, e);
-			}
-		}
-		return null;
+	KeyStore getTruststore() throws KeyStoreException {
+		return KeyStore.getInstance("WINDOWS-ROOT");
 	}
 
 }

src/main/java/org/cryptomator/ui/addvaultwizard/ChooseExistingVaultController.java

@@ -59,7 +59,7 @@ public class ChooseExistingVaultController implements FxController {
 		this.vault = vault;
 		this.vaultListManager = vaultListManager;
 		this.resourceBundle = resourceBundle;
-		this.screenshot = applicationStyle.appliedAppThemeProperty().map(this::selectScreenshot);
+		this.screenshot = applicationStyle.appliedThemeProperty().map(this::selectScreenshot);
 	}
 
 	private Image selectScreenshot(Theme theme) {

src/main/java/org/cryptomator/ui/addvaultwizard/CreateNewVaultExpertSettingsController.java

@@ -26,7 +26,7 @@ public class CreateNewVaultExpertSettingsController implements FxController {
 
 	public static final int MAX_SHORTENING_THRESHOLD = 220;
 	public static final int MIN_SHORTENING_THRESHOLD = 36;
-	private static final String DOCS_NAME_SHORTENING_URL = "https://docs.cryptomator.org/security/vault/#name-shortening";
+	private static final String DOCS_NAME_SHORTENING_URL = "https://docs.cryptomator.org/security/architecture/#name-shortening";
 
 	private final Stage window;
 	private final Lazy<Application> application;

src/main/java/org/cryptomator/ui/addvaultwizard/CreateNewVaultLocationController.java

@@ -4,7 +4,6 @@ import dagger.Lazy;
 import org.cryptomator.common.ObservableUtil;
 import org.cryptomator.common.locationpresets.LocationPreset;
 import org.cryptomator.common.locationpresets.LocationPresetsProvider;
-import org.cryptomator.common.settings.Settings;
 import org.cryptomator.ui.common.FxController;
 import org.cryptomator.ui.common.FxmlFile;
 import org.cryptomator.ui.common.FxmlScene;
@@ -39,7 +38,6 @@ import javafx.stage.WindowEvent;
 import java.io.File;
 import java.io.IOException;
 import java.nio.file.Files;
-import java.nio.file.InvalidPathException;
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.util.Optional;
@@ -66,7 +64,6 @@ public class CreateNewVaultLocationController implements FxController {
 	private final BooleanProperty loadingPresetLocations = new SimpleBooleanProperty(false);
 	private final ObservableList<Node> radioButtons;
 	private final ObservableList<Node> sortedRadioButtons;
-	private final Settings settings;
 
 	private Path customVaultPath = DEFAULT_CUSTOM_VAULT_PATH;
 
@@ -85,7 +82,6 @@ public class CreateNewVaultLocationController implements FxController {
 									 @FxmlScene(FxmlFile.ADDVAULT_NEW_EXPERT_SETTINGS) Lazy<Scene> chooseExpertSettingsScene, //
 									 ObjectProperty<Path> vaultPath, //
 									 @Named("vaultName") StringProperty vaultName, //
-									 Settings settings, //
 									 ExecutorService backgroundExecutor, ResourceBundle resourceBundle) {
 		this.window = window;
 		this.chooseNameScene = chooseNameScene;
@@ -100,18 +96,6 @@ public class CreateNewVaultLocationController implements FxController {
 		this.usePresetPath = new SimpleBooleanProperty();
 		this.radioButtons = FXCollections.observableArrayList();
 		this.sortedRadioButtons = radioButtons.sorted(this::compareLocationPresets);
-		this.settings = settings;
-
-		Path previouslyUsedDirectory = settings.previouslyUsedVaultDirectory.get();
-		if (previouslyUsedDirectory != null) {
-			try {
-				if (Files.exists(previouslyUsedDirectory) && Files.isDirectory(previouslyUsedDirectory) && isActuallyWritable(previouslyUsedDirectory)) {
-					this.customVaultPath = previouslyUsedDirectory;
-				}
-			} catch (InvalidPathException | NullPointerException e) {
-				LOG.warn("Invalid previously used vault directory path: {}", previouslyUsedDirectory, e);
-			}
-		}
 	}
 
 	private VaultPathStatus validatePath(Path p) throws NullPointerException {
@@ -212,12 +196,6 @@ public class CreateNewVaultLocationController implements FxController {
 	@FXML
 	public void next() {
 		if (validVaultPath.getValue()) {
-			if (this.getVaultPath() != null) {
-				Path parentPath = this.getVaultPath().getParent();
-				if (parentPath != null) {
-					this.settings.previouslyUsedVaultDirectory.setValue(parentPath);
-				}
-			}
 			window.setScene(chooseExpertSettingsScene.get());
 		}
 	}

src/main/java/org/cryptomator/ui/changepassword/PasswordStrengthUtil.java

@@ -20,6 +20,7 @@ import java.util.ResourceBundle;
 public class PasswordStrengthUtil {
 
 	private static final int PW_TRUNC_LEN = 100; // truncate very long passwords, since zxcvbn memory and runtime depends vastly on the length
+	private static final String RESSOURCE_PREFIX = "passwordStrength.messageLabel.";
 	private static final List<String> SANITIZED_INPUTS = List.of("cryptomator");
 
 	private final ResourceBundle resourceBundle;
@@ -47,15 +48,13 @@ public class PasswordStrengthUtil {
 	}
 
 	public String getStrengthDescription(Number score) {
-		return switch (score.intValue()) {
-			case -1 -> String.format(resourceBundle.getString("passwordStrength.messageLabel.tooShort"), minPwLength);
-			case 0 -> resourceBundle.getString("passwordStrength.messageLabel.0");
-			case 1 -> resourceBundle.getString("passwordStrength.messageLabel.1");
-			case 2 -> resourceBundle.getString("passwordStrength.messageLabel.2");
-			case 3 -> resourceBundle.getString("passwordStrength.messageLabel.3");
-			case 4 -> resourceBundle.getString("passwordStrength.messageLabel.4");
-			default -> "";
-		};
+		if (score.intValue() == -1) {
+			return String.format(resourceBundle.getString(RESSOURCE_PREFIX + "tooShort"), minPwLength);
+		} else if (resourceBundle.containsKey(RESSOURCE_PREFIX + score.intValue())) {
+			return resourceBundle.getString(RESSOURCE_PREFIX + score.intValue());
+		} else {
+			return "";
+		}
 	}
 
 }

src/main/java/org/cryptomator/ui/common/FxmlFile.java

@@ -19,7 +19,6 @@ public enum FxmlFile {
 	HEALTH_START("/fxml/health_start.fxml"), //
 	HEALTH_CHECK_LIST("/fxml/health_check_list.fxml"), //
 	HUB_NO_KEYCHAIN("/fxml/hub_no_keychain.fxml"), //
-	HUB_CHECK_HOST_TRUST("/fxml/hub_check_host_trust.fxml"), //
 	HUB_AUTH_FLOW("/fxml/hub_auth_flow.fxml"), //
 	HUB_INVALID_LICENSE("/fxml/hub_invalid_license.fxml"), //
 	HUB_RECEIVE_KEY("/fxml/hub_receive_key.fxml"), //
@@ -30,7 +29,6 @@ public enum FxmlFile {
 	HUB_REGISTER_FAILED("/fxml/hub_register_failed.fxml"), //
 	HUB_REGISTER_DEVICE("/fxml/hub_register_device.fxml"), //
 	HUB_UNAUTHORIZED_DEVICE("/fxml/hub_unauthorized_device.fxml"), //
-	HUB_UNTRUSTED_HOST("/fxml/hub_untrusted_host.fxml"), //
 	HUB_REQUIRE_ACCOUNT_INIT("/fxml/hub_require_account_init.fxml"), //
 	LOCK_FORCED("/fxml/lock_forced.fxml"), //
 	LOCK_FAILED("/fxml/lock_failed.fxml"), //
@@ -40,15 +38,13 @@ public enum FxmlFile {
 	MIGRATION_RUN("/fxml/migration_run.fxml"), //
 	MIGRATION_START("/fxml/migration_start.fxml"), //
 	MIGRATION_SUCCESS("/fxml/migration_success.fxml"), //
-	NOTIFICATION("/fxml/notification.fxml"), //
 	PREFERENCES("/fxml/preferences.fxml"), //
 	QUIT("/fxml/quit.fxml"), //
 	QUIT_FORCED("/fxml/quit_forced.fxml"), //
 	RECOVERYKEY_CREATE("/fxml/recoverykey_create.fxml"), //
-	RECOVERYKEY_EXPERT_SETTINGS("/fxml/recoverykey_expert_settings.fxml"), //
-	RECOVERYKEY_ONBOARDING("/fxml/recoverykey_onboarding.fxml"), //
 	RECOVERYKEY_RECOVER("/fxml/recoverykey_recover.fxml"), //
 	RECOVERYKEY_RESET_PASSWORD("/fxml/recoverykey_reset_password.fxml"), //
+	RECOVERYKEY_RESET_PASSWORD_SUCCESS("/fxml/recoverykey_reset_password_success.fxml"), //
 	RECOVERYKEY_SUCCESS("/fxml/recoverykey_success.fxml"), //
 	SHARE_VAULT("/fxml/share_vault.fxml"), //
 	SIMPLE_DIALOG("/fxml/simple_dialog.fxml"), //
@@ -62,7 +58,6 @@ public enum FxmlFile {
 	VAULT_STATISTICS("/fxml/stats.fxml"), //
 	WRONGFILEALERT("/fxml/wrongfilealert.fxml");
 
-
 	private final String ressourcePathString;
 
 	FxmlFile(String ressourcePathString) {